Cisco Support Community
Community Member

Guest Wireless Security - ASA/WCS/WLC/LWAP/Switch


I've been tasked with adding guest wireless access to our network using WCS to control our WLCs which control our LWAPs. I am familiar with the mobility anchor / WLC in the DMZ topology. However, that is not an option for me due to the additional cost.

So the setup I am using is essentially as follows: a guest wireless vlan (and separate SSID and interface on WLCs) is set up and dot1q trunked to the WLCs from the switches and dot1q trunked to a sub interface on the ASA from the switch. The default gateway and DHCP services are handled by the ASAs. The ASAs also handle the NATting to the Internet for the guest wireless clients. WCS is handling the account creation using the lobb ambassador role and with web authentication on the guest client side. A simple ACL is applied on the guest wireless sub interface which denies all traffic to all internal VLAN IP ranges from the guest wireless sub interface except for DNS, SMTP, POP3, and HTTP services to a single server. Please see the diagram below for clarity.

What I am wanting to know from someone with a better security background than myself is the following:

1) Is this a bad implementation that has security issues?

2) What else can I do to tighten security with this implementation?



CreatePlease to create content