Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
2
Replies

WLC 2504 and SSO

kerryjcox
Level 1
Level 1

‎10-21-2013 03:02 PM - edited ‎07-04-2021 01:07 AM

Am running into a slight issue and was hoping someone could shed a light on this.

I am using a Cisco WLC 2504 wireless LAN controller to manage four (4) 1142 WAPs.  Everything works well and we have both authenticated users and a guest-wireless network as well.

However, we are implementing a web filerting solution (zScaler) which requires a GRE tunnel from our edge router (C2921) to their network.  Everything goes through this tunnel now.  Along with that we have SSO (single sign on) solution (OKTA) which requires all users to login using their AD accounts and they must also agree to our terms of Conditions.

So, my question is, how can I allow guest users to bypass this tunnel and not use an AD account to authenticate?

Here is one possible solution:

Place the guest users on a new VLAN and then route then through my ASA 5510 firewall through a new egress IP.  This new egress IP I can set up as an exception in the GRE tunnel. 

My problem is how do I configure guest users to be on a new VLAN through the WLC? 

And then how do I configure the ASA to route this VLAN over the new egress IP?

Thoughts?  Ideas?  am happy to provide config files if needed or to diagram further.

Thanks in advance.

Kerry


Labels:
0 Helpful
2 Replies 2

kerryjcox
Level 1
Level 1

‎10-21-2013 03:06 PM

One thing I forgot to mention; we are using an outside VoIP provider, and so we do VLAN tagging on all the single drops in each cubicle.  management would not let us separate out data phones lines from the computer drops.

We VLAN tag all data packets as VLAN 101 and then tag all VoIP packets as VLAN 200.  Am happy to set up another VLAN 100 as wireless, and then route them out our C3750G switches, but have never had to do this as well.

Thanks.

0 Helpful

kerryjcox
Level 1
Level 1
In response to kerryjcox

‎10-21-2013 03:45 PM

May have answered my own question...

Am going to burn an extra port on my WLC and plug it directly into my C5510 and use an extra IP as my egress.

Any suggestions on how to configure a new port on the WLC to be in a different subnet and then route guest-wireless over this port and then out a different egress IP on the firewall?  Am concerned that the egress IP will overlap the LAN Ip address subnet.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card