cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3506
Views
0
Helpful
4
Replies

Guest Wireless and DNS

Jason Wing
Beginner
Beginner

During our implementation of Guest Wireless (currently ongoing), we are trying to decide where to point to for DNS.

We have a 5508 WLC in our Internet DMZ and it acts as the Anchor WLC. This WLC is also used as the DHCP server for the Guest Wireless clients.

We are debating whether to point the clients internally to our primary DNS servers, or externally to the public service provider DNS servers. The only DNS servers in the DMZ are external forwarders.

From a network standpoint, I think either solution would work. But from a security standpoint, which is better? Or is there another option?

Can anyone recommend a standard or best practice design when it comes to DNS for Guest Wireless?

Thanks in advance!

2 Accepted Solutions

Accepted Solutions

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Use an external dns if possible. The only time I would use an internal is if I install a 3rd party certificate on the guest anchor to get rid of the certificate error page during a webauth and the client doesn't have an external dns or the isp will not add an A record to resolve the certificate CN name.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

Stephen Rodriguez
Cisco Employee
Cisco Employee

If you are not playing around with third party certificates for webauth. Just point to external Internet servers. The only reason to use yours is if they would need access to internal resources, like a printer.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

4 Replies 4

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Use an external dns if possible. The only time I would use an internal is if I install a 3rd party certificate on the guest anchor to get rid of the certificate error page during a webauth and the client doesn't have an external dns or the isp will not add an A record to resolve the certificate CN name.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Stephen Rodriguez
Cisco Employee
Cisco Employee

If you are not playing around with third party certificates for webauth. Just point to external Internet servers. The only reason to use yours is if they would need access to internal resources, like a printer.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks for the info - exactly what I needed. The guest access is not needed internally and I am not doing cerficicates. Therefore - external it is.

Hi Cisco community group,

 

We are having a similar issue.

Our setup is as follows: 

We have visitor SSID on WLC which is not in DMZ. We are doing AAA for visitor SSID on WLC using the external webauth using Cisso ISE visitor portal and the redirect URL.

But, in the entire flow of getting the visitor credentials authenticated from ISE visitor pprtal through WLC, there is the virtual interface of 192.0.2.1 on WLC which is required with a DNS record.

 

Now if I use External - public or ISP DNS, it cannot resolve that virtual interface DNS record and thus the authentication process seems to break and the wireless user doesn't reach the Run status, it is stuck in Webauth Required status.

Now, We are not pointing the visitor wireless users to the Internal DNS, as we only want the publicly facing servers to be visible to the  visitors and not the private records.

 

How can we get around this problem.

Whats is the best way to implement guest or Visitor wireless in a campus environment.

 

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers