WLC+Anchor+Guest NAC

Answered Question
Jan 12th, 2009

Hello all

I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:

1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.

2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?

3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..

4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?

Sorry for the long post..

Raj

I have this problem too.
0 votes
Correct Answer by grzegorz.ciolek about 7 years 10 months ago

1. I think you should have physical port1 and mgmt interface for management purpose (tagged or untagged) and port2 and dynamic interface (I think of them as a VLAN interface on switch) for guest user.

2. As you said use two scope or external DHCP server for this scenario. "Load balancing" is possible.

3. Sorry I don't have any deployment with two NGS... but you can run two ngs in VMware server and test this (you can obtain 30 day free licens from Cisco site). Have you look here:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/11/g_replication.html

Cheers

Gregory

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
wesleyterry Mon, 01/12/2009 - 19:06

Lets see if I can help anything...

Client connects to Guest SSID on AP connected to Controller A

Controller A anchors the SSID/WLAN to DMZ Controller at Site B

So, basically, client is actually hanging off the network port of the DMZ Controller (so all IP/Routing needs to be assigned from the standpoint of the ethernet port on the DMZ controller). The Client Gateway should be the gateway of Controller B, not the IP of Controller B.....

When client makes Web-Request, the request is hijacked by a web-authentication device (your NAC in site C?) and once authenticated, the client is allowed on the internet back at Site B.

With all that said, no traffic should be going to Site C once authenticated. So traffic flow should be (after authenticated):

Client > AP Site A > Site A Controller > Site B DMZ Controller > DMZ Controller Gateway to wherever.....

Is that clarifying anything?

I don't think there is a reason to create more WLAN SSID's for guests unless you need different authentication methods or if for some reporting reason you want different.

Number of users I don't think will be a limiting factor

sachinraja Mon, 01/12/2009 - 20:07

Hello wesley

thanks for the clarification. that solves almost all my design related questions... ur explanation means that:

1) I will not need any layer 3 vlans, for guest, on the local L3 switched network, in site A, right ? i have close to 7 closets, which trunk onto the core switch in site A. each closet has around 10 AP's, which communicate with 2 x WLC 4404 (100 k9).. the core switch is connected to WAN router, through which routing happens to site B..

2)can i define the dhcp server locally on the anchor controller ? in this aspect, i hope the dhcp broadcast is sent through EoIP ? does it have any dependency on knowing the DNS server ?

Thanks again.. have u implemented this ? Do u have any working configs ? I have seen wireless SRND, and have a basic config template, for all devices.. any other links which u can suggest ?

Raj

grzegorz.ciolek Tue, 01/13/2009 - 13:27

Hi,

1. You should not do any VLAN for L3 network on side A for Guests. However you have to tailor guest WLAN on foreign controller with some dynamic interface. For security purpose it is wise to create dummy vlan on foreign controller. Tailor it with Guest WLAN and not allowed on trunk connection between foreign controller and core switch.

2. Yes you can use DHCP server on Anchor Controller

...and yes I have some experience with whole stuff you mentioned ;-)

Cheers

Gregory

sachinraja Wed, 01/14/2009 - 10:03

Greg

Thanks again.. that was useful too. One last query.. and this was grilling my head:

1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(

2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?

3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..

Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)

Raj

wesleyterry Wed, 01/14/2009 - 17:58

So I really can't answer 1 and 3, and 2 actually brings up concern....

How do you plan to anchor to load-balanced WLCs? I'm pretty sure you anchor to one controller, but maybe I just haven't read much about Load-balancing. Clear to enlighten me?

furthermore, When configuring anchor wlans, I've always had to make the configuration Identical. Which included defining the DHCP server on the wlan that is trusted. As far as I know, you can only define 1 DHCP server, so I'm not really sure how you would even make two dhcp servers work (unless you don't have to define a dhcp server on the trusted WLC)...

But assuming you could make both dhcp servers work with the wlc, then you probably will need to split the scopes else you have no way to control address conflicts if you are really using two dmz controllers.

I guess I need to read-up a little on what you are calling "load balancing mode"...

Correct Answer
grzegorz.ciolek Wed, 01/14/2009 - 23:35

1. I think you should have physical port1 and mgmt interface for management purpose (tagged or untagged) and port2 and dynamic interface (I think of them as a VLAN interface on switch) for guest user.

2. As you said use two scope or external DHCP server for this scenario. "Load balancing" is possible.

3. Sorry I don't have any deployment with two NGS... but you can run two ngs in VMware server and test this (you can obtain 30 day free licens from Cisco site). Have you look here:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/11/g_replication.html

Cheers

Gregory

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode