01-03-2011 03:05 AM - edited 07-03-2021 07:36 PM
Hi,
I have a wlc2106 with 3 LAP1042 for my internal users. I authenticate them through a ms radius with 801.x. This works good.
I have for testing created a guest wlan using webauth and this works. I want my guest wlan to be located on my DMZ ( asa5510 ) but i am not sure the best way to set it up. I would like to use my existing AP´s for this but that might not be possible.
Cheers
Solved! Go to Solution.
01-04-2011 01:44 PM
You are on base except for the last part. Assuming that your APs are in local mode and not HREAP mode it does not matter what VLAN they reside(assuming they can route to the WLC). In a lightweight wireless environment all traffic from from the AP will be inside the LWAPP/CAPWAP tunnel and the only time that traffic is released to the network is through the controller. This allows you to define the DMZ physical port on the WLC and physically cable it to the DMZ port on your firewall. You could also create a tagged "trunk" interface and pass all VLANs to a core/access switch if you do not have enough physical cables. Just be sure that you do not add an IP address to the DMZ any other place than your WLC interface and the port on your firewall. If the only other VLAN in the environment is the same VLAN as the management interface is in, you can simply tie your new SSID used for production data access to the management port. This will allow you to segment out guests with out the need for any AP configuration change and only minor switching and firewall changes.
Thanks,
01-03-2011 03:25 AM
Hello,
A typical deployment for guest access with WLAN exit points in a DMZ is with a mobility anchor:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp1011037
This would however require a second WLC platform of the type 440x, WiSM, 5508, or integrated in switches (e.g., 3750).
Let me know if this helps,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-03-2011 04:23 AM
Thanks,
That is not an option at the moment, probably never. Don´t think i will get the funds for buying a new WLC for this purpose. I guess i can use ACL´s and bind them to the guest WLAN but that will put them on my LAN and i don´t want that. Anything else that might work?
01-03-2011 04:31 AM
AFAIK, By having Just a WLC, we cannot do much.. n as you already know that 2106 does not become a Guest Anchor as well.. so we can go for just a WEB AUTH.. and also there is no support for External web portal as well..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull
01-03-2011 04:32 AM
Hello,
Apart from ACLs, there are not too many other options I could think of either to achieve this with a single WLC.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-03-2011 04:35 AM
OK!
I will talk to the spenders =) Thanks for the information!
01-03-2011 04:37 AM
No problem!! thanks for posting on CSC!! have a great day!!
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull
01-04-2011 09:34 AM
Since you have a 2106 WLC I am assuming that your network is quite small. You could create a new VLAN at layer 2 only from the WLC to the DMZ of your firewall. The default gateway would be the DMZ interface for the wireless guests. This would restrict all guest traffic to that VLAN as it is not possible to route a layer 2 only VLA. Also no ACLs would be needed in this configuration. Depending on your configuration this may not be possible but I think it is a good option in your situation.
Thanks,
01-04-2011 12:05 PM
Hi,
That sounds really good. Not sure how i will configure the WLC for this. Is this correct...
1. AP-mananger and managment on LAN.
2. Configure one port on the WLC and name it WIFI with SSID and connect it to my DMZ.
3. The ports in the switch that the AP´s are connected to are members to both VLAN´s ( LAN and DMZ network ) , i want to use my existing AP´s and not buy new ones.
01-04-2011 01:44 PM
You are on base except for the last part. Assuming that your APs are in local mode and not HREAP mode it does not matter what VLAN they reside(assuming they can route to the WLC). In a lightweight wireless environment all traffic from from the AP will be inside the LWAPP/CAPWAP tunnel and the only time that traffic is released to the network is through the controller. This allows you to define the DMZ physical port on the WLC and physically cable it to the DMZ port on your firewall. You could also create a tagged "trunk" interface and pass all VLANs to a core/access switch if you do not have enough physical cables. Just be sure that you do not add an IP address to the DMZ any other place than your WLC interface and the port on your firewall. If the only other VLAN in the environment is the same VLAN as the management interface is in, you can simply tie your new SSID used for production data access to the management port. This will allow you to segment out guests with out the need for any AP configuration change and only minor switching and firewall changes.
Thanks,
01-04-2011 01:52 PM
That sounds exactly what i want. Really nice information. Going to try that on friday, gonna get back to you with information. I assume i can use the internal DHCP server on the WLC for the guest users.
Thx again
01-05-2011 09:32 AM
You can use the WLC or the ASA for DHCP, obviously not both at the same time.
Thanks,
01-05-2011 09:35 AM
Hi, got this working this morning. Works like a charm.
Thank you very much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide