I’m looking to get some clarification/design guidance around the different methods by which guest access (wired and wireless) can be provisioned in a Cisco infrastructure.There are several methods that can provide this, that I’m aware of:
1) - via a wireless anchor controller in the DMZ, which can actually provide Internet-only access to both wired and wireless clients.
2)- via the Secure Access Control Server/System (ACS), whereby you can define “guest” access to be limited to whatever you want
3)- via the NAC Guest Access Server (which is the solution I’m least familiar with)
I’m currently researching an ACS project, where they are looking to provide centralized AAA, but ALSO restricted access to wired and wireless clients based on AD authentication.ACS appears capable of all of this, so I’m trying to determine how/if the other solutions would fit in, and what additional benefit they would provide if supplementing the ACS solution?(I’ve also seen Cisco security docs where they indicate the NAC Guest Access Server as a solution that can deployed alongside ACS, so again, I’m trying to determine the boundaries and limitations of each guest access solution.)
So, benefits/weaknesses/recommendations and integration benefits of each of the guest solutions above – links to docs/presos are appreciated, of course.I don’t mind doing the reading…
I'll just talk to the NAC guest server side. In essence, it can be used as a RADIUS server for WLCs and other devices (here's a config of how to do it with WLC, for example: http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml). The "extra" part of it is that it gives you a web portal for authenticated sponsors to create these guest accounts (with time limits and as much information about the guest user as you wish) and, via syslogging, track what those guest users are accessing. You can also allow guests to self-register themselves, via a hotspot. You would still need some kind of network enforcment device (WLC) to direct those users to a captive portal (which could be on the device or on the guest server). Here's the introduction to the NGS, which pretty much says the same thing as me, except much more nicely : http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_intro.html#wp1060656
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...