Secure Guest Wireless Design

thenetadmin · ‎09-05-2023

Hi Team

Trying to build a secure wireless network for a customer.

The customer purchased a new WLC and ISE nodes. Being a healthcare, we kept the security requirements into consideration and designed WLAN.

The APs form CAPWAP tunnels to the WLCs, and from there the guest SSID is dumped onto the guest VLAN which is then sent out to Internet Edge firewall. Firewall is gateway for Guest VLAN
The firewall routes traffic to the ISE located in the data center for captive portal authentication.

Please share your recommendations and advice regarding the security of the design, and please refer to the attached topology for context.

thenetadmin · ‎09-08-2023

Anyone?

Rasika Nayanajith · ‎09-08-2023

When 9800 got dual home (DMZ switch & core Switch) you have to test carefully your traffic path. Typically 9800 WLC is like a end device (have single gateway) rather acting like a router with multiple path routing capability. Always check from ISE to 9800 and 9800 to ISE go on the path you anticipated & not having asymmetric traffic flow.

HTH
Rasika
*** Pls rate all useful responses ***

balaji.bandi · ‎09-09-2023

Adding to other post - You can use different ports to connect to WLC in DMZ network.

where is the gateway for Guest WLAN in Edge Firewall ?

Agreed you need to bit cautious about routing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jameswillison1 · ‎09-09-2023

@thenetadmin
The design for the secure guest wireless network in the healthcare setting appears robust. By using CAPWAP tunnels to the Wireless LAN Controller (WLC) and segregating guest traffic into a separate VLAN, you isolate guest users from critical systems. Routing through the Internet Edge firewall adds an additional layer of protection, and the use of ISE for captive portal authentication enhances security by ensuring only authorized users gain access. Continuously monitoring and updating firewall rules, maintaining WLC and ISE nodes, and regularly reviewing security policies will be essential for maintaining a strong and secure wireless network in a healthcare environment.
regards @jameswillison

thenetadmin · ‎09-09-2023

Thank you @balaji.bandi @Rasika Nayanajith

You made very good points.

In the proposed design, WLC has two LAGs one to Cores for corporate traffic and other to DMZ switches.

WLC sends guest traffic to the DMZ switch, which is logically the other side of the edge firewall. Gateway for Guest WLAN is Edge Firewalls

Typically, APs are connected to LAN access switches. APs will first CAPWAP tunnel the guest to WLC, then controller dumps traffic to the Guest VLAN going towards to ISE in Data Center because guest captive portal is being served by ISE Clients have to be able to resolve the DNS name for ISE.

I could have also simply created L2 transit VLAN on cores and L3 on firewall and use the existing trunks between core and firewalls to allow new sub interfaces on the firewall for guest interface, but it makes less secure. Physical separation is bit better.

This is just my opinion. You are welcome to add your suggestions to enhance the design and increase its security.

ammahend · ‎09-09-2023

Few more questions, On ISE what kind of guest authentication are you doing ? Where is DHCP for guest ? Do you have a public signed cert for guest SAN on ISE ?

-hope this helps-

thenetadmin · ‎09-09-2023

Guest will be authenticated via Captive portal. Yes, we do have public signed certificate just for this purpose.

Edge Firewalls will handle the DHCP.

ammahend · ‎09-09-2023

As in hotspot, self registered guest, sponsored guest .. what I was trying to get to is if you are using ISE portal for only AUP, you can do it with wlc directly and even get creative with custom html, since your traffic is already physically separate for guest and save headache of opening firewall to allow ISE and guest user communication as well as save on ISE licenses, but if you are using some more advance guest portal feature then it’s understandable.

-hope this helps-

thenetadmin · ‎09-09-2023

Sorry for missing it. Captive Portal with External Authentication like SMS.

JPavonM · ‎09-10-2023

Why using SMS validation for the Guest Portal? is it because you want to collect the phone number of the user to be able to identify anyone in case of misuse of the Internet connection?

I personally hate receiving any code or validation link through SMS-like methods as they increase the risk of suffering Smishing (SMS phishing), so I wouldn't recommend you to use SMS validation.

thenetadmin · ‎09-11-2023

@JPavonM wrote:
Why using SMS validation for the Guest Portal? is it because you want to collect the phone number of the user to be able to identify anyone in case of misuse of the Internet connection?
I personally hate receiving any code or validation link through SMS-like methods as they increase the risk of suffering Smishing (SMS phishing), so I wouldn't recommend you to use SMS validation.

Thats correct. That is most of the organization do keep and maintain authencity of the users if any user performs illegal activities.
Any other do you suggest other than SMS?