Just wanted to know if this will work or not...
I was looking at a design from a client and they had two CAM and CAS plus a Guest server. My client wants to use the equipment above for guest access. The problem I'm having is that I'm building a wireless network with guest anchor WLC's in the DMZ. So my wireless users will be tunneled to the DMZ controller. Also, the WLC can have a splash page uploaded to it and also authenticate users locally in the DB. They don't want any remediation, just authentication.... is this a waste of money or would would actually implement this?
Currently I am deploying NAC Guest Server with Anchor Controller for one of mine customers. Also I have done some labs with NAC Guest Server (you can put it on VmWare).
NAC G Srv. with Anchor controller is recommended by Cisco.
Why are You claim that this is waste of money ? Maybe I do not understand what are you trying to accomplish. Could You clear what You are asking for ?
Well my client does not want to do any remediation. Just a splash page and authenticate users. DHCP i guess can be done on either onI can do that on the guest wlc. Also since the guest wlc will be in the dmz, the guest nac server will have to be in the dmz also. So now how is that device going to communicate with the 2 CAS SRV located in the internal network. I would have to open up the FW.
I guess I want to know what this buys me and how then would it be Designed to Cisco's best practice.
Thanks for the input.
NAC Guest server (I will use NGS shortcut) is Radius. In my opinion NGS should not stay in the same DMZ as Anchor WLC. Anchor WLC opens connection to NGS. Only this ports are use: 1812 (authentication) and 1813 (accounting - timeout for user guests). Rest NGS connections go from/to dns, ntp, ldap, http/https (Sponsors, Admins), smtp (login/password sending). So you can put it in MGTM server area or separate DMZ (more rules on firewall).
I think that remediation requirment should be compared to customer security policy.
As far as I know You have to add new CAS in anchor wlc DMZ if you want use NAC Appliance:
In my opinion usually Guest users laptops are unmanageable (but it can be handle by NAC App). However, why fight with them ? They can not use guest WLAN (you can add additional ACL) until a sponsor will give them guest account. Also guest network is logically separate from production network.
I have not see any design guide connected with Wireless and NGS. Only this:
I will take a look at the links later when I get back home. So really bottom line it will be acting as a radius server.
Yeah a lot of people are confused by this name - NAC Guest Server. This product has nice http/s fronted, Linux Fedora and...
Okay, so basically I would just setup my wireless guest ssid to open and have the guest wlc setup for DHCP... no webauth. Then I setup the NGS like a radius server in which that will have the splash page and user accounts. I would then place a rule in the FW to allow 1812 and 1813 if accounting will be used to an from the NGS and the dmz WLC. The CAS and CAM will be located in the internal network. Since they don't want to do any remediation, the NGS will only be communicating with the CAS. Sounds right?
As far as I know there is no splash page on NGS. It can be on WLC or external server.
Look few post above. There is step by step guide for NGS and WLC.
But in short. Steps to configure NGS with anchor controller:
- connect anchor with foreign controller trough mobility group(EoIP)
- On anchor and foreign controller set exactly same: Guest SSID, ssid broadcast/no broadcast, Web auth L3 security, QOS (bronze?), no L2 security, optionally peer-to-peer blocking
- On anchor controller in global Security add NGS radius server (authentication and accounting), add new dynamic interface (guest vlan), set guest vlan in guest WLAN, set NGS in guest WLAN (Security/AAA servers)
- On foreign controller set MGT vlan in Guest WLAN
On firewall add rule to allow connection (1812 1813) from WLC (dmz) to NGS (mgt)
NGS do not have to communicate with CAS or CAM
Hope this help and was clear enough this time :-)
Another quick question.... Is this possible:
I will configure the guest anchor to issues dhcp and hold the splash page. The NGS will authenticate username and passwords from the local DB. Now the client wants to plase the cas in the dmz also, but for now they don't want to do any remediation. So now I will have to bridge the traffic from the wlc to the internet switch. Now what ports do I need to have pen for the CAM to communicate with the CAS. I know that the CAS has a web login page, but I would like to create a custom webauth on the wlc. Also I will have a 3rd party cert loaded on the guest wlc to get rid of the certificate error message. Can you create a custom webauth page on the CAS and can you also install a cert to get rid of the certificate error message?
Just trying to see what I can do so the cas is not just being used for nothing.
Sorry I was out of office and I do not see you replay.
Ports need for cas cam comunication
CCA Version Required Ports
4.0(x) TCP ports 443, 1099, and 8995~8996
3.6(x) TCP ports 80, 443, 1099, and 8995~8996
3.5(x) TCP ports 80, 443, 1099, and 32768~61000 (usually 32768~32999 are sufficient).
Yes you can customize login page and yes you can add your cert to cas. Look at:
I hope that was help.
I've some (very) basic questions.
Let's say guest vlan = x
1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
I've found to open the following ports in the firewall:
UDP 97 for EoIP
UDP 16666 for intercontroller traffic
and 1812/1813 for Radius.
Thanks in advance