I am looking for the best practice of securing internet only SSID on controller. Would I use acl on controller for that ssid or on prtinemt interfaces to keep guest traffic from accessing networks that it souldn't?
I dedicated one port on the WLC to the guest WLAN, and plugged that port directly into the DMZ interface on my ASA (for security reasons, make sure there is nothing else using this DMZ...only your guest WLAN).
The DMZ interface on the ASA is the gateway for the guest WLAN, and the WLC is serving DHCP for the guest WLAN.
To make for-darn-sure that guest traffic won't make it to the other WLANs I put ACLs in place, blocking traffic between the guest WLAN and the internal WLANs. I also put ACLs on the ASA blocking traffic between this DMZ interface and the outside interface on the ASA, so as to prevent guest users from trying to go out the DMZ and back in the outside interface.
There are more ways to do it, but this is the basic configuration that I've got. Seems to work pretty well so far.
Of course you'll still have to decide what security mechanism you want to use to manage access to your guest wirless network.
1. Create access lists on the contoller which restrict the guest SSID only to the DMZ resources such as guest only DNS server and webserver. The access-lists should be bidirectional.
2. If you have incorporated a radius server such as Cisco ACS, make sure that you setup access restrictions between the guest IP range (including the anchor controller) and your corporate subnets.
3. Make sure that the guest SSID is not mapped to the management interface but to another dynamic interface. This prevents the guest clients from picking up corporate ip addresses when the tunnel to the anchor controller fails.
I take it that you have already set up your guest access, however you can reference the link below, as it describes how to create ACLs on the controller:
The way I did it, I didn't use an anchor controller...forgot to mention that. I only have one 2504 controller. Of course setting up an anchor is better if you've got one.
The guest traffic will be encapsulated in CAPWAP, thus putting the guest data onto the internal vlan which the APs use to communicate with the WLC. The WLC then strips the CAPWAP header and process the guest traffic appropriately, forwarding it to the appropriate gateway as necessary. This being the case, the guest traffic is making its way onto the internal LAN while being sent from the AP to the WLC. Given that the guest traffic is encapsulated in CAPWAP, I don't think this poses a security risk (allowing the guest traffic onto the internal vlan via CAPWAP), does it?
I forgot also to mention that I have a dedicated vlan for WLC <--> AP traffic. ACLs are applied to this vlan so that no other traffic is allowed in or out.
In absense of an anchor controller, this is the best way I can see to do it.
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...