WLAN Guest design discussions
Last Post: April 21, 2010:
-
I'm wondering if there are any Wireless Network Engineers out there that have deployed a guest WLAN "on the cheap".
We're a Cisco shop with 8 WiSMs and over a thousand access points on campus. The desire is to create an SSID for guest users, limit it to DHCP, DNS, HTTP and HTTPS. On top of that, rate limit them to 2mb/s up and down.
The standard Cisco design in an anchor controller on your DMZ with an ASA or some other device that overloads/PATs the traffic. The project I'm working on has no money at this point, so I was wondering what y'all have done with your networks.
My quick and dirty design as it stands right now is another SSID mapped to a campus VLAN, filtering protocols on the Cisco 6509 where the WiSMs are, and egress policing the traffic on the mapped VLAN on the VLAN mapped to the SSID and on the VLAN coming into the box from the "big network".
Thanks,
Tim -
I have an issue that I am keen to resolve. I have a WLAN that is used for public access within a library. I am using Aruba equipment and I am trying to get the Aruba 650 controller to send the HTTP (80) traffic to the corporate ISA/Websense proxy server on port 8080. This will allow the public webtraffic to be content filtered. I would alos like to be able to use different vlans and captive portals for the different libraries. We did manage to get this working. I can get it to work if I manually add the proxy settings onto the wireless client but this will not be possibl in a public hotspot environment.
Any pointers would be appreciated.
James
-
I don't an Aruba WLC but I do have a Cisco WLC:
1. Obtain an IP Address Range (per subnet/location)
2. Setup an SVI for each VLAN in question (per subnet)
3. Setup any L2/L3 configuration you may require - IGP Routing, HSRP/VRRP, QoS, etc.
4. Create an Interface on the Controller - 1 per subnet/WLAN
5. Create one WLAN aka SSID per area.
6. Associate each WLAN with an interface (Each interface can be associated with more than one interface - Guest WLAN should be associated with Management interface in the case of the Foreign Controller).
7. You'll need proper security etc.
8. Start testing.
I need to review and make sure I did not miss anything. This is off the top of my head.
-
Create a VLAN on your 6500 core(s), say VLAN 999, and ACL it off (for added protection). Then, create a WLAN controller interface for each WiSM controller instance on this VLAN, so it can drop traffic onto it. I do not recommend using the 6500 as the router for this new VLAN in any shape or form; just use your 6500s for L2 switching of this VLAN. You then want to drop another g/w device (with your Internet circuit) that serves DHCP for this VLAN for any device that gets dropped onto it.
Now, you essentially have a new, segmented VLAN you can drop WLAN (and wired) devices onto. Your current infrastructure will switch it, but not route it. The new router you drop into that VLAN (say a DSL/Cable modem) will be that router and DHCP server.
Then, setup the WiSMs with a new SSID that you will broadcast, turn off all L2 security and nearly all of the settings on the Advanced tab. On the L3 security, setup the Web Auth using whatever model that fits your use case. See the deployment guide for more information on those options.
That's pretty darn cheap. Cisco's built-in guest options are very limited. You can always get a Nomadix or a small Aruba controller to be the gateway you drop onto that new VLAN to provide the guest web-based services you might want beyond what the WLC provides. Using Cisco NGS (NAC Guest Server) is pretty darn cool, but certainly not cheap. I believe Aerohive has some nice guest features as well that is all built-in to their AP product.
- 1