01-26-2019 02:56 AM - edited 07-05-2021 09:45 AM
Dear Experts,
We need design recommendation for WLC and ISE for guest access. we have 2 WLCs (SSO) and one ISE node. we want to connect the second interface of WLCs in the DMZ and ISE will be placed in the internal network.
Is this a doable design? what is the recommendation from a security perspective?
Does WLC support traffic over multiple interfaces.
WLC model is 5520
Appreciate your quick response.
01-26-2019 03:06 AM
Do you have any high level topology, Can this 5520 WLC dedicated to Guest Anchor ?
01-26-2019 05:03 AM
01-26-2019 05:04 AM
01-26-2019 06:03 AM
With SSO, LAG is required so you cannot use a dedicated port. That type of design would be better with N+1 where you set the port priority and assign what port an interface belongs to. With SSO, you can place the guest into a non routable vlan internally and then have another port on the switch pass that traffic to the DMZ.
01-29-2019 02:44 AM
You can create a totally new VLAN just for guests and ensure that this is the Interface Group/VLAN that unauthenticated users get placed into when they associate with your open SSID (Guest). The WLC will send Radius requests to ISE via the managament VLAN and this will arrive at Gig0 on the ISE node (ISE listens to Radius/TACACS on all active interfaces). And then the security advice I can give you is that you host your guest portal on a different ISE interface - e.g. Gig1. This is easily done from the ISE GUI when you create the portal. This means that ISE won't listen on tcp/443&8443 on Gig0 - hence, guests won't be able to attack your ISE node kill your managment interface. Of course if you're not careful, they can still DOS ISE on Gig1. But you should be very restrictive in your Cisco WLC ACL's for portal user roles, and authenticated user roles. Portal users should only be allowed to perform DNS queries and talk tcp/8443 to ISE. Be as explicity as you can and even nail down the exact DNS servers in your ACLs!
For authenticated users you allow DNS, ISE and then block RFC1918 addresses, and finally, allow all the rest. That should ensure that Guests only get to internet. If you have a web proxy in your design, then the rule is a bit different - you don't allow all, but you simply allow all traffic to the proxy only, and then block the rest.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide