Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Guest Access Secure Enough?

Equipment: 2106 controller, 1131AG, WCS 5.1.151

Internal users: Connect to 192.168.x.x network as normal wired users would. Authenticate through a radius server connected to AD. WPA2 used. Vlan1

Guest Users: Connect to controller through web-auth, DHCP on controller, Vlan2

ACL Guest rules (In sequence):

1. Permit SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 192.168.1.5/255.255.255.255 (firewall)

2. Deny SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 192.168.0.0/255.255.0.0

3. Permit SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 0.0.0.0 / 0.0.0.0

I understand that the suggested method for the guest Wlan is to be in the DMZ on a separate controller. As each location has its own firewall/internet connection I find this solution expensive, an administrative nightmare, and probably overkill. My question is: Is my guest access secure enough with web-auth, separate vlan, and the access control list?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Guest Access Secure Enough?

The reason why using like setting up acl's on the wlc is because it really doesn't work as well depending on your rules. ACL's are better managed on the L3 interface.

-Scott
*** Please rate helpful posts ***
5 REPLIES
Hall of Fame Super Silver

Re: Guest Access Secure Enough?

I personally don't like to use the ACL feature on the wlc. Why not create acl's on the L3 interface of vlan 2 to deny guest network to internal network. If you have a different internet connection for guest, you can use one of the available ports for the guest traffic. This is specifed in the interface you create for guest. If you have one internet connection, then create acl's on the l3 switch.

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access Secure Enough?

Why/What don't you like on WCS ACL? Is adding the ACL to the vlan as a secondary precaution create enough security (plus the web-auth)? Also, I don't have another internet connection.

Hall of Fame Super Silver

Re: Guest Access Secure Enough?

The reason why using like setting up acl's on the wlc is because it really doesn't work as well depending on your rules. ACL's are better managed on the L3 interface.

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access Secure Enough?

I had to double check with one of Cisco's engineers and he came up with the some solution. Thanks for your help!

New Member

Re: Guest Access Secure Enough?

If you have a guest internet dmz in place, you can simply connect one of the physical distribution ports to the dmz, and have the guest wlan pointing to that interface.

211
Views
0
Helpful
5
Replies
CreatePlease to create content