Secure Guest wifi using WPA2

Adam Watts · ‎05-15-2012

A couple of years ago i asked if it was possible to connect 2 separate networks by using a guest anchor controller (https://supportforums.cisco.com/message/1309100)

The idea being we can replicate the other networks wifi settings over our wireless infrastructure without the need of installing a second wave of access point just to provide a new SSID, and allowing us the freedom and flexibility to deploy this 2nd network where needed.

We need to use WPA/WPA2 with radius authentication with the radius server living on the second network.

We already have a DMZ between the two networks and are planning to put the anchor controller on the DMZ.

Has anyone tried this sort of configuration and can offer any tips?

regards,

Adam

maldehne · ‎05-16-2012

Correct me if i am wrong

As I can understand you are trying to have two controllers one with APs connected and the other without APs located in the DMZ. You want to define a WLAN on both controllers and have the traffic of clients connected to that certain WLAN to be tunneled back to the DMZ controller for further filteration .

You are talking about WPA with RADIUS , so you mean WPA Enterprise?

Which means you are talking about L2 security measures.

If you are thinking of having the DMZ controller responsible for L2 authentication described above that is not going to happen cause everything on L2 is handled on the internal Foriegn not the DMZ.

IF you mean that you want to have WPA PSK with Web auth , in that case it will work and the web authentication will be handled on the DMZ as the web auth is L3 security measure.

Regards

---------------------------------------------------------------------------

Please make sure to rate correct answers

Adam Watts · ‎05-16-2012

Correct me if i am wrong

As I can understand you are trying to have two controllers one with APs connected and the other without APs located in the DMZ. You want to define a WLAN on both controllers and have the traffic of clients connected to that certain WLAN to be tunneled back to the DMZ controller for further filteration .

Correct

You are talking about WPA with RADIUS , so you mean WPA Enterprise?

Correct

Which means you are talking about L2 security measures.

If you are thinking of having the DMZ controller responsible for L2 authentication described above that is not going to happen cause everything on L2 is handled on the internal Foriegn not the DMZ. Thats what i'm getting :<

IF you mean that you want to have WPA PSK with Web auth , in that case it will work and the web authentication will be handled on the DMZ as the web auth is L3 security measure. No it's L2 We are trying to achive

Regards

Many thanks for taking the time to reply. I think the solution might have to be somehow get our internal ACS radius server to proxy requests to the remote radius server, and do it that way.

maldehne · ‎05-16-2012

Yep

I hope the info has been informative for you.

Regards

---------------------------------------------------------------------

Please don't forget to rate correct answers