Wireless Guest Access
The Wireless Guest Access feature addresses the need to provide internet access to guests in a secure and accountable manner. The implementation of a wireless guest network uses the enterprise’s existing wireless and wired infrastructure to the maximum extent. This reduces the cost and complexity of building a physical overlay network. Wireless Guest Access solution comprises of two controllers - a Guest Foreign and a Guest Anchor. An administrator can limit bandwidth and shape the guest traffic to avoid impacting the performance of the internal network.
Note |
|
Wireless Guest Access feature comprises the following functions:
-
Guest Anchor controller is the point of presence for a client.
-
Guest Anchor Controller provides internal security by forwarding the traffic from a guest client to a Cisco Wireless Controller in the demilitarized zone (DMZ) network through the anchor controller.
-
Guest Foreign controller is the point of attachment of the client.
-
Guest Foreign Controller is a dedicated guest WLAN or SSID and is implemented throughout the campus wireless network wherever guest access is required. A WLAN with mobility anchor (guest controller) configured on it identifies the guest WLAN.
-
Guest traffic segregation implements Layer 2 or Layer 3 techniques across the campus network to restrict the locations where guests are allowed.
-
Guest user-level QoS is used for rate limiting and shaping, although it is widely implemented to restrict the bandwidth usage for a guest user.
-
Access control involves using embedded access control functionality within the campus network, or implementing an external platform to control guest access to the Internet from the enterprise network.
-
Authentication and authorization of guests that are based on variables, including date, duration, and bandwidth.
-
An audit mechanism to track who is currently using, or has used, the network.
-
A wider coverage is provided by including areas such as lobbies and other common areas that are otherwise not wired for network connectivity.
-
The need for designated guest access areas or rooms is removed.
Note |
To use IRCM with AireOS in your network, contact Cisco TAC for assistance. |
Controller Name |
Supported as Guest Anchor |
Supported as Guest Foreign |
---|---|---|
Cisco Catalyst 9800-40 Wireless Controller |
Yes |
Yes |
Cisco Catalyst 9800-80 Wireless Controller |
Yes |
Yes |
Cisco Catalyst 9800-CL Wireless Controller |
Yes |
Yes |
Cisco Catalyst 9800-L Wireless Controller |
Yes |
Yes |
Cisco Catalyst 9800 Embedded Wireless Controller for Switch |
No |
No |
Cisco Catalyst 9800 Embedded Wireless Controller on Cisco Catalyst 9100 Series APs |
No |
No |
Supported Features
Following is a list of features supported by Cisco Guest Access:
-
Sleeping Clients
-
FQDN
-
AVC (AP upstream and downstream)
-
Native Profiling
-
Open Authentication
-
OpenDNS
-
Supported Security Methods:
-
MAB Central Web Authentication (CWA)
-
Local Web Authentication (LWA)
-
LWA on MAB Failure
-
802.1x + CWA
-
802.1x
-
PSK
-
802.1x + LWA
-
PSK + CWA
-
PSK + LWA
-
iPSK + CWA
-
MAB Failure + PSK
-
MAB Failure + OWE
-
MAB Failure + SAE
-
-
SSID QoS Upstream and Downstream (Foreign)
-
AP/ Client SSO
-
Static IP Roaming
-
Client IPv6
-
Roaming across controllers
-
RADIUS Accounting
Note
In a guest access scenario, accounting is always performed at the foreign controller for all authentication methods.
-
QoS: Client-Level Rate Limiting
-
Guest Anchor Load Balancing
-
Workgroup Bridges (WGB)
Note |
To enable the controller to support multiple VLANs from a WGB, use wgb vlan command. |
Foreign Map Overview
Guest Access supports Foreign Map using Policy Profile and WLAN Profile configuration models in Cisco Catalyst 9800 Series Wireless Controller.
Foreign Map support in Cisco Catalyst 9800 Series Wireless Controller is achieved with the following policy profile and WLAN profile config model.
-
Guest Foreign commands:
-
Foreign1: wlanProf1 PolicyProf1
-
Foreign2: wlanProf2 PolicyProf2
-
-
Guest Anchor commands:
-
wlanProf1, wlanProf2
-
PolicyProf1: Vlan100 - subnet1
-
PolicyProf2: Vlan200 - subnet2
-
Foreign Map Roaming
Configure two different WLAN profiles on the two Guest Foreigns and seamless roaming is not allowed between them. This is expected configuration. However, seamless roaming is allowed if the same WLAN profile is configured on two Guest Foreigns, but it prevents Foreign Map feature from working.
Wireless Guest Access: Use Cases
The wireless guest access feature can be used to meet different requirements. Some of the possibilities are shared here.
Scenario One: Providing Secured Network Access During Company Merger
This feature can be configured to provide employees of company A who are visiting company B to access company A resources on company B network securely.
Scenario Two: Shared Services over Existing Setup
Using this feature, you can provide multiple services using multiple vendors piggy backing on the existing network. A company can provide services on an SSID which is anchored on the existing controller. This is while the existing service continues to serve over the same controller and network.