02-07-2015 07:54 AM - edited 07-05-2021 02:27 AM
We have a couple 5508 controllers (one in US and one in EMEA) and AIR-CAP2602I-E-K9 AP's. Our 50 branch offices (US, EMEA, and APAC) have 3750's but we are in the process of replacing these with 3850's. We want to provide a wireless network strictly for mobile devices (iphones/ipads) for employees when they are in the office. All of the 50 branch offices will have local internet so we want Internet traffic to traverse through the local ISP and not across the WAN. Additionally we need this to be a secure environment so only employees can use this wireless network. We do have a separate "Guest" network that is used by clients/guests. What is the best option to deploy this?
02-07-2015 08:02 AM
You would need to deploy in FlexConnect mode so that the traffic stays local and follows the local routing policy.
HTH,
Steve
02-07-2015 09:42 AM
I agree with Steve ..
FLEX CONNECT
-use flex connect groups for keying
- if you use 802.1X you will need consider how the users will auth. That traffic will likely have to come across the wan
- you can drive the guest traggic back over the wan to a DMZ if you wanted.
02-07-2015 10:04 AM
Thanks.
Can we enforce our employees to authenticate against AD from their mobile device or push out a cert (we use MobileIron for our MDM)?
How can we prevent our employee laptops from connecting to the "Mobile" SSID?
Should we consider the 3850's as the local controller?
02-07-2015 10:18 AM
Sounds like you are using 802.1X. Keep in mind while in flex mode the mobile traffic is dumped locally. However authentication would need to come back to the WLC then be processed by the radius and checked against AD.
Yes you can use a cert for authentication another name for this is EAP TLS. If you have a mdm in place it would be no different if the user was in the corp office.
Preventing a corp device from accessing a guest SSID can be tricky. Some folks will deploy a supplicant like anyconnect on laptops that prevents the device to connect to the mobile ssid. You may want to check your mdm. It may be able to prevent this as well.
3850 as a local control. I wouldn't unless you have the time to work through the bugs and lack of features .
02-07-2015 10:21 AM
You would define policies if using 802.1x authentication. You can then distinguish between mobile device if using certs and domain machines. You can push out a GPO to your domain machines preventing them from joining the mobile SSID or any other SSID you have that you want to prevent.
FlexConnect would still be a better choice unless you want to manage each site using a 3850 as an MC.
-Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide