WLC+Anchor+Guest NAC

Post a reply

In an effort to prevent automatic submissions, we require that you complete the following challenge.
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review

Expand view Topic review: WLC+Anchor+Guest NAC

Re: WLC+Anchor+Guest NAC

by ali » Tue Oct 25, 2011 8:54 am

Guest-->AP-->WLC(internal)--EOIP-->Anchor WLC -----Authentication--> NAC Guest Server

i have a problem in web-redirection, i configured the web authentication in Anchor WLC forwarding towards Nac guest Server using this url: https://x.x.x.x/sites/sitename/login.html.

from PC i am getting the IP from DHCP server which is configured on Anchor controller but not getting the web authentication page. using url :

do i have to configure web authentication in WLC internal and also need to give same url for web authenticaion ?
second, in NAC guest in site directory i couldn't find the login.html file .

Re:WLC+Anchor+Guest NAC

by Guest » Mon Apr 23, 2007 5:02 am

1. I think you should have physical port1 and mgmt interface for management purpose (tagged or untagged) and port2 and dynamic interface (I think of them as a VLAN interface on switch) for guest user.2. As you said use two scope or external DHCP server for this scenario. "Load balancing" is possible.3. Sorry I don't have any deployment with two NGS... but you can run two ngs in VMware server and test this (you can obtain 30 day free licens from Cisco site). Have you look here:http://www.cisco.com/en/US/docs/securit ... ersGregory

Re:WLC+Anchor+Guest NAC

by Guest » Mon Apr 23, 2007 3:36 am

So I really can't answer 1 and 3, and 2 actually brings up concern....How do you plan to anchor to load-balanced WLCs? I'm pretty sure you anchor to one controller, but maybe I just haven't read much about Load-balancing. Clear to enlighten me?furthermore, When configuring anchor wlans, I've always had to make the configuration Identical. Which included defining the DHCP server on the wlan that is trusted. As far as I know, you can only define 1 DHCP server, so I'm not really sure how you would even make two dhcp servers work (unless you don't have to define a dhcp server on the trusted WLC)...But assuming you could make both dhcp servers work with the wlc, then you probably will need to split the scopes else you have no way to control address conflicts if you are really using two dmz controllers.I guess I need to read-up a little on what you are calling "load balancing mode"...

Re:WLC+Anchor+Guest NAC

by Guest » Mon Apr 23, 2007 2:51 am

GregThanks again.. that was useful too. One last query.. and this was grilling my head:1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)Raj

Re:WLC+Anchor+Guest NAC

by Guest » Mon Apr 23, 2007 2:10 am

Hi,1. You should not do any VLAN for L3 network on side A for Guests. However you have to tailor guest WLAN on foreign controller with some dynamic interface. For security purpose it is wise to create dummy vlan on foreign controller. Tailor it with Guest WLAN and not allowed on trunk connection between foreign controller and core switch.2. Yes you can use DHCP server on Anchor Controller...and yes I have some experience with whole stuff you mentioned ;-)CheersGregory