Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Shared Wireless

Hi

4 Company would like to share Wireless Setup in the same tower, some floors would be shared.

Each company will manage its own infrastructure except wireless & ISE and avoid duplicate of Access point and Wireless setup

Any suggestion.

Thanks and Appreciate you help.

CP

8 REPLIES
Hall of Fame Super Silver

Re: Shared Wireless

Anything can be done, but you need more information to determine if what you plan on doing will work. The main thing that you need to define is how users will authenticate. Since your not going to use active directory, are you planning on using pre shared key, self registration, how will you prevent users from accessing the other companies network? More info Is required to really see if this will work or not? Determine how users will authenticate and how will you prevent users from accessing or how will they access their company resources.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Shared Wireless

Thanks for ur reply Scott. I should have mentioned that 4 companies means 4 Affiliates for the same group. Each affiliates got separate IT operations in different location. Soon all 4 affiliates will be in the same tower.

Each affiliate wants to integrate their Active Directory for wireless authentication. Guest can be on local Wireless Controller Database.  Wireless Management wil be handled by one of the affiliates with strong skills.  Also consideration to share DC Core if necesary for Shared Wireless.

Didnt find any CVD similar to our needs

Hall of Fame Super Silver

Re: Shared Wireless

The big challenge you will have is the integration of active directory. If using 802.1x, either you have to migrate to one AD or you would have to ties all 4 in to one parent AD. The only option for you if this can't be accomplished is preshared key (WPA2/AES PSK). 802.1x is really the way to go as long as the radius server you use, can lookup the groups from the various affiliates AD domains.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Shared Wireless

Scott,

please do clarify if ISE from cisco help in our scenario.

Can ISE communicate with 4 different AD boxes in different forest and fullfill the requirement of Shared Wireless using 802.1x authentication.

VIP Purple

Re: Shared Wireless

HI Cisco Plus,

Cisco ISE supports integration with a single Active Directory identity source. Cisco ISE uses this Active Directory identity source to join itself to an Active Directory domain. If this Active Directory source has a multidomain forest, trust relationships must exist between its domain and the other domains in order for Cisco ISE to retrieve information from all domains within the forest.

However, you may create multiple instances for LDAP. Cisco ISE can communicate via LDAP to Active Directory servers in an untrusted domain. The only limitation you would see with LDAP being a database that it doesn't support PEAP MSCHAPv2 ( native microsoft supplicant). However it does suppport EAP-TLS.

For more information you may go through the below listed link

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

As per sources........

Till now ISE support only one AD but Multiple AD will be supported is ISE 1.3 Release, That will be release first quarter of 2014.

Regards

Dont forget to arte helpful posts

Hall of Fame Super Silver

Re: Shared Wireless

As long as there is a trust between the AD environment you can get this to work. I have seen companies do this when the acquire other companies, but if your asking me how to do that piece... Don't know:). Any radius will tie into one AD and must be able to send a lookup to that AD. The parent AD if there is a trust, should be able to lookup the other AD in the forest. I'm not a Microsoft AD specialist, but some of my clients who I have worked on projects with were and was able to get that to work.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Silver

Re: Shared Wireless

If there is trust relationship in Active directory ISE is a good option as you would have centralize point of control for everyone and you can implement the security and policies as desired .

New Member

Re: Shared Wireless

Maybe not so elegant, but could work.

Every company have their own Microsoft NPS server for their AD domains.

In wireless controller add RADIUS Authentication an Accounting servers (NPS) for each company. The companies NPS servers must be reachable from controller on ports needed (often used 1645 and 1646). Create routing in routers and opening  for ports in every companies firewalls.

Make controller Interfaces for each companies wireless vlan and make wlans tied to them. In security settings and AAA Servers tab for each wlan you select companies NPS servers for Authentication and Accounting.

260
Views
5
Helpful
8
Replies