I have a bit of a conundrum at the moment. I will be the first to admit I am no expert when it comes to the finer points of HREAP, but thought I would throw this out there in case someone else has already come across this approach and maybe even has a few tips?
Background:- We run centralised wireless controllers across two datacentres. We have a WCS with MSE and a bunch of AIR-CAP3502I-N-K9 AP's within our Campus, spread across multiple floors and buildings. We already have a working Guest access solution using NGS with HREAP to our Campus and our remoite sites, leveraging an anchor controller in a DMZ.
We are currently looking at corporate wireless access in the following way:-
AP's in HREAP local switching mode, native vlan is defined for it's particular location/floor (possibly running groups of AP's in specific HREAP groups) - RADIUS 802.1x through to a Symantec SNAC LAN Enforcer; for posture assessment which will then proxy requests on to IAS and active-directory, should remediation be required the SNAC places the client in a remediation VLAN which is terminated in the datacentre and houses a remediation server to carry out any remedation tasks.
I can see how a permitted machine may work in this topology, but - if remediation is required and the SNAC puts the client into a remediation vlan, I cannot see how this will work in a centralised model, whilst at the same time using HREAP local switching?
The majority of enterprises I am aware of tend to use localised controllers to each site, negating the requirement to use HREAP, but for the purposes of our design, I have to work with our centralised model.
Has anyone got corporate wireless working using HREAP into centralised controllers out there? If so, how did you get around the conundrum of remediating clients whose machines needed to be updated?
Permitted machines will be controlled using certificates from our active-directory/PKI infrastructure both for the machine and the user, to ensure only allowed people and machines can connect.
Should we be using HREAP local switching at all? Or should we follow the guest approach and tunnel all corporate clients back to the datacentre too? Looking for some pointers or ideas here. Many thanks in advance.
Although I haven't done this personally, my best reccomendation would be to specify a quarantine vlan on the interface on the controller and maybe have it be the same at all sites and see if that will flow thru in H-REAP.