I am looking to give my users full access to the production network, but vendors without credentials access only to the Internet. Unfortunately, a lot of our internal web content is wide open, and management is concerned that vendors could get access to these websites.
Is there a way to route a vendor directly out to the internet, without exposing any internal resources. I realize there are details to address such as name resolution and ip addressing, but let's put those aside for a minute and just focus on securing a route out.
ps: now that i think about it, i could create a vlan and attach it to an interface outside our internet facing firewall, but is there another way?
There are several possibilities depending on the type of equipment in place.
On a router you could use policy routing to send traffic from specific source IPs out a specific interface. This approach is not among the most scalable ones. From a security point of view this is somewhat cumbersome, because PBR will only work if the outgoing interface is available. If not, then normal IP routing kicks in again and the users will be treated all the same.
You could use a firewall to sort out the privileges. Placing the less privileged users in a separate VLAN would be one option, IF you can make sure they cannot access other VLANs. 802.1x could be one way to go to assure proper VLAN placement of users.
Generally I would recommend using a firewall in a security relevant environment. That´s after all one purpose a firewall has been buit for.
I am going through this exact scenario. Be fore warned, that the way DHCP works with the 4400 controllers leaves a lot to be desired. We are trying to have a guest WLAN be cordoned off with an ASA, but the way the ASA handles non-broadcast DHCP traffic is to drop it..and there is no work around according to TAC. We are now looking at ACLs on the WLAN but we don't feel super secure doing that. If anyone has suggestions I would love to hear them. Thanks.
Something similar to what you've described. Create another dynamic interface (VLAN) and create a WLAN (SSID) just for your vendors.
The other method, and this is what we're considering is using a smaller (older) controller (4101, or a 4024) and Anchor (Mobility Anchor) the WLAN on the controller. We'd place this controller outside our firewall. The controllers would setup GRE tunnels between themselves (this happens automagicly when you place them in mobility groups) so the traffic would be essentially tunneled outside of your localnetwork, and dropped off outside of your firewall.
This is a relativily new feature, only since the 3.2 release train of code.
By far the easiest and most secure way I've found to do this is to purchase a DSL connection, stick a small firewall on it (Pix 505), and create a Vlan with this router to the DSL as the gateway. Create this Vlan on your access points and broadcast your SSID (or not). This gives vendors access to the Internet and doesn't compromise your network at all. This is not the cheapest solution, however.
Maybe this wont work for your setup, but I have just completed a full scale install with 1121's, 1130, 1231, and 1310 radios managed by a WLSE. I used a Cisco switch to connect the AP's and trunked them so there are seperate VLANs, then terminated them onto a dot1q trunk to a 2621 XM router. I then firewalled the router so one VLAN cant see the other, and setup WPA autehnetication for the Guest ssid, and leap for the Voice network, and management network, and for their internal network I am going to be setting up Active Directory authentication through the WLSE. The Guests can get out onto the internet, but cant get anywhere else on the LAN. I restricted it to data only, no voice QOS on that vlan either, and the 2621Xm controls all QOS so a guest can overrun the voice vlan.
If your router supports 802.1q trunking, and you have a fairly recent Cisco switch, trunk into the AP, then setup vlans for access to the internet for guests and then put in an ACL on the interfaces to control who goes where.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...