Wireless for Mobile Devices utilizing local Internet

CHRIS KALETH · ‎02-07-2015

We have a couple 5508 controllers (one in US and one in EMEA) and AIR-CAP2602I-E-K9 AP's. Our 50 branch offices (US, EMEA, and APAC) have 3750's but we are in the process of replacing these with 3850's. We want to provide a wireless network strictly for mobile devices (iphones/ipads) for employees when they are in the office. All of the 50 branch offices will have local internet so we want Internet traffic to traverse through the local ISP and not across the WAN. Additionally we need this to be a secure environment so only employees can use this wireless network. We do have a separate "Guest" network that is used by clients/guests. What is the best option to deploy this?

Stephen Rodriguez · ‎02-07-2015

You would need to deploy in FlexConnect mode so that the traffic stays local and follows the local routing policy.

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

George Stefanick · ‎02-07-2015

I agree with Steve ..

FLEX CONNECT

-use flex connect groups for keying

- if you use 802.1X you will need consider how the users will auth. That traffic will likely have to come across the wan

- you can drive the guest traggic back over the wan to a DMZ if you wanted.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

CHRIS KALETH · ‎02-07-2015

Thanks.

Can we enforce our employees to authenticate against AD from their mobile device or push out a cert (we use MobileIron for our MDM)?

How can we prevent our employee laptops from connecting to the "Mobile" SSID?

Should we consider the 3850's as the local controller?

George Stefanick · ‎02-07-2015

Sounds like you are using 802.1X. Keep in mind while in flex mode the mobile traffic is dumped locally. However authentication would need to come back to the WLC then be processed by the radius and checked against AD.

Yes you can use a cert for authentication another name for this is EAP TLS. If you have a mdm in place it would be no different if the user was in the corp office.

Preventing a corp device from accessing a guest SSID can be tricky. Some folks will deploy a supplicant like anyconnect on laptops that prevents the device to connect to the mobile ssid. You may want to check your mdm. It may be able to prevent this as well.

3850 as a local control. I wouldn't unless you have the time to work through the bugs and lack of features .

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎02-07-2015

You would define policies if using 802.1x authentication. You can then distinguish between mobile device if using certs and domain machines. You can push out a GPO to your domain machines preventing them from joining the mobile SSID or any other SSID you have that you want to prevent.

FlexConnect would still be a better choice unless you want to manage each site using a 3850 as an MC.

-Scott

-Scott
*** Please rate helpful posts ***