WLC - Guest Lan

Started by Dieselboy, February 29, 2016, 12:21:46 AM

Previous topic - Next topic

Dieselboy

I have a working WLC with Guest wifi SSID. I've noticed this "Guest Lan" check box under the interface which is used as guest. I've not checked this box but when you do, the IP address fields are taken away and you're left with the VLAN ID.
The guest network is a layer2 network and guest users hit the ASA firewall for their default gateway, so all they obtain is internet access.
I've seen this link about wired guests: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html#anc10

But I'm unsure how / why the IP info is removed when you tick the Guest Lan box.

Are anyone using this and know the differences?

deanwebb

Is this the one where they form a CAPWAP tunnel back to the anchor controller in the DMZ? If so, I'm able to speak on it, as it's tied in with my NAC system providing authentication.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

We used it without checking the Guest box. However had there been time to test it we might have used it after reading through the doc you posted. We did a setup like that for standalone sites. The reason was to isolate a guest from everything until they had passed through an ACL on the ASA. If they can hit an IP on the WLC they can compromise it.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

Dieselboy

I've not tested / checked to see if the guest IP tied to the guest interface on the WLC is reachable from the guest wifi network. I'm guessing that it might well be. However, our web auth uses the virtual IP for the guest users. At the moment it is still 1.1.1.1. I have PSK set up as the primary authentication since our office is below apartments. Then, web auth kicks in.

Deanwebb I've only ever set up single-controller networks, so I'm unsure. I've set up a separate guest network subnet which is like a DMZ #2.