I have a slightly odd requirement in that I am building a remote site solution using ISRs and LWAPs at remote sites with a centrally hosted WLC (amongst other things). I need to provide guest access at all the sites, which is easy enough, but the guest Internet traffic needs to go out via local Internet links (xDSL lines connected to the ISR). As far as I can see, it's only possible to tunnel the traffic to the WLC and then go out via the corporate firewall, or route the traffic all the way back to the ISR, which isn't very efficient.
Ideally, I'd like the WLC to be inline with traffic tunnelled to it for the initial web auth attempt, but then to move out of line to allow the local Internet break out. Traffic segmentation isn't an issue in this case because the ISR is acting as a local firewall and I can easily ensure guest WLAN traffic doesn't touch the corporate network.
So in summary, the requirements are:
- Central webauth on the controller (Guest NAC server may be added later)
- Uniform guest WLAN config
- DHCP served either from the ISR or the WLC
- Once authentication is complete, a guest user's traffic should be routed out via the local ADSL line
Has anyone seen/configured a setup like this before? Can anyone point me towards some relevant documentation?