Central hosted guest portal, local switched traffic possible?

PERI_Admin · ‎05-05-2016

First of all I explain our current setup. Until now we use the products of a competitor but we want to switch over to Cisco wireless products soon. In order to do that we want to know if a central hosted guest portal with local switched internet traffic is possible? Tunneling the whole traffic to the headquarters is not possible because our WAN connection is very slow. This is the reason why we need to use the local internet breakouts in the subsidiaries. The guest portal should be hosted centrally.

Currently we are working with a guest network (SSID: Guest) in our subsidiaries. The network is switched at the wifi controller in the headquarters. Unauthenticated users only reach the guest portal and can register. After this was successful the topology for this user is changed dynamically and he now has a locally switched wifi. Therefore we use separated guest VLANs on the subsidiaries. These VLANs should only have internet access and are not routed towards the headquarters.

As far as I know this solution is not possible with Cisco because there is no chance to dynamically change the bridging mode per user. My question is how can I reach my goal?

I found a tutorial that obviously covers this problem: https://www.doctorchaos.com/flexconnect-local-switching-guestbyod/

After a closer look I am not sure if that's exactly what we want to achieve. Does the traffic to the headquarters use the CAPWAP tunnel? Is this achieved via split tunneling? If yes this would be great because then it should be sufficient to route the local guest networks only for the wifi controller but not globally.

Besides that is there another possibility?

Philip D'Ath · ‎05-05-2016

I'm going to assume you are talking about a Cisco WLC solution here.

You can combine with with Cisco ISE Guest portal. You can have the guest start out in one VLAN, and after authentication you can drop them into another.

Specifically, you can configure ISE to drop users into VLANs - by user.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118742-configure-ise-00.html

PERI_Admin · ‎05-05-2016

Thanks for your answer. Yes I'm talking about WLC solution.

I think your proposal is not the solutions for us. First of all I need two VLANs in this solution and the first VLAN must be routed to the headquarters which is not very nice. Second the VLAN change is not acceptable.

This is a similar option to the VLAN change configured for the Guest Portal in ISE Version 1.2. It allows you to run activeX or a Java applet, which triggers DHCP to release and renew. This is needed when CoA triggers the change of VLAN for the endpoint. When MAB is used, the endpoint is not aware of a change of VLAN. A possible solution is to change VLAN (DHCP release/renew) with the NAC Agent. Another option is to request a new IP address via the applet returned on the web page. A delay between release/CoA/renew can be configured. This option is not supported for mobile devices.

ActiveX or Java applet, really!? This solution will never work on hundreds of different guest devices...

PERI_Admin · ‎05-12-2016

Other thoughts?

PERI_Admin · ‎07-07-2016

really no other solution here?

PERI_Admin · ‎07-28-2016

We didn't manage to do the split tunneling solution.

After a short discussion we decided to go with routed guest networks in each subsidiary. This solution is very simple to implement and is more reliable than do-it-yourself solutions ;-)