Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1059
Views
0
Helpful
2
Replies

Cisco ISE Wireless Guest Network

mendozha
Level 1
Level 1

‎05-06-2020 09:42 AM - edited ‎07-05-2021 12:01 PM

Hello, I have a single WLC with a single interface that is trunked to the network switch.

I have 2 SSIDs one for Guest and one for the company users. 

both the networks are setup and ISE is authenticating the users SSID/wireless LAN. The Guest is open Auth.

I want to setup a guest portal and I'm finding conflicting documentation. I find that the wlc needs to be in a DMZ?

I also am finding documentation that says i need the wlc to be the anchor in the dmz. in short i only have a single wlc and want to set up the wireless portal. can this be done and where do i find the deployment guide?

Labels:
0 Helpful
2 Replies 2

d.friday
Level 4
Level 4

‎05-06-2020 11:12 AM

mendozha,

 

A DMZ nor an anchor controller is required, Typically most companies want to segment  guest traffic,so that's why you see a lot of info around a DMZ or anchor controller. 

 

check out this link this should point you in the right direction 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

 

I hope this helps

0 Helpful

malone352
Level 1
Level 1

‎05-08-2020 02:14 AM

Hi Mendozha,

 

You do not necessarily need an Anchor WLC to provide secure Guest access, it can be provided using the same infrastructure. This is known as a shared deployment but you will need to have some form of DMZ to act as the guest client’s gateway and it may take some wrangling with your security folk

 

Steps (assuming central switched SSIDs)

  1. Create a guest VLAN on local switch connecting to the WLC to logically separate guest traffic
  2. Make sure the Guest VLAN does not have an associated Layer 3 interface on the internal network and therefore not routable within your network. Use your internet facing firewall as your guest clients Gateway
  3. Configure a second interface on ISE for the Guest Portal and connect that to your DMZ switch. Your guest portal on ISE should be set to use this interface, there is no routing between Interfaces on ISE.

 

Note your guest client will likely be using an external DNS, they will need to be able to resolve the hostname of the ISE Guest Portal so they get redirected. You can override the Redirect to URL to use the ISE IP instead of the Portal name or publish the hostname of ISE

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card