cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1012
Views
5
Helpful
3
Replies

Local switching and central captive portal authentication

runemillerjord
Level 1
Level 1

Hello gurus,

 

I have a situation that I do not believe I am the only one in the universe who wants a solution like this. But still I can't find any answer to my question.

 

I have a pretty standard topology with some central datacenters and remote branch offices. In the branch offices I have a WAN connecting to the datacenters and a local internet breakout for accessing the Internet without using WAN bandwidth.

 

But guest networks are centrally switched, authenticated by a guest portal in ISE and granted access to the Internet through a separate firewall. The interfaces in the WLC and the ISE are in a VRF separate to my production network, to make sure it is totally separated.

 

Now I want to use local switching for the guest networks too. Why would I spend precious WAN bandwidth on guests? But I still need to authenticate via a captive portal. I have tried to read up on local switching and central authentication, but as I see it the central authentication does not mean captive portal for guests. I can route to the ISE over the WAN, but that means I have to include the local guest networks to the routing tables, and I don't want that. I want it totally separated. And I can't route multiple VRF's over the WAN, or if I would I would have to allocate bandwidth from the MPLS to do that.

 

So I want local switching of data traffic, and central authentication towards a captive portal going through CAPWAP.

 

Does anyone have any information on how I can get this?

 

Best regards

 

 

Rune Millerjord

3 Replies 3

Hi

 Let´s assume some things:

You are moving from Local switch to flexconnect. This means, your client is going to get IP address locally and they need to talk with you ISE on the Data Center.

 Your AP need to be in trunk mode and to have a native vlan to talk with the WLC on the management interface and Data vlan to send traffic on the local network.

 WLAN to VLAN mapping will be required on the AP or flexconnect group.

 

Take a close look on the following document and see if helps.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html

 

-If I helped you somehow, please, rate it as useful.-

Jurgens L
Level 3
Level 3

For your solution, you can consider to have two VLAN’s for your branch. One that will allow you to route only to the ISE/DNS when authenticating and one VLAN that will be applied in your change of authorization to move users to this VLAN that will route them out to the local internet breakout.

 

Keep in mind you will need to enable VLAN DHCP Release as per the document below.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html 

 

<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

HaifengLi
Cisco Employee
Cisco Employee

Hi,

 

I think you might need "FlexConnect VLAN Based Central Switching" feature.

You can let the traffic go "central" or "local" according to your needs.

 

------------

If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.

------------

 

Please refer to the link below for more information.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ch7_HREA.html#pgfId-1092561

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: