Cisco Cisco 4404 Wireless LAN Controller Technische Referenzen
18
Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.0
OL-11010-01
Web Authentication Process
In guest tunneling scenarios:
•
The user's IP address is administered from the DMZ anchor controller, which has dedicated VLAN
for guest users.
for guest users.
•
All user traffic is transported over an Ethernet-over-IP (EoIP) tunnel between the remote wireless
LAN controller and the DMZ anchor wireless LAN controller.
LAN controller and the DMZ anchor wireless LAN controller.
Mobility is supported as a client device roams between wireless LAN controllers.
Each DMZ anchor controller can support 40 tunnels from various inside controllers. These tunnels are
established from each controller for each SSID using the mobility anchor feature, meaning that many
wireless clients can ride the tunnel.
established from each controller for each SSID using the mobility anchor feature, meaning that many
wireless clients can ride the tunnel.
For a customer with many remote sites, it is now possible to forward different types of guest traffic from
different sites to different DMZ Anchor controllers, or to the same DMZ Anchor controller with different
wireless LANs. Any user getting placed on the DMZ can use the AAA-override feature to apply
RADIUS Vendor Specific Attributes (VSAs) on a per-session basis.
different sites to different DMZ Anchor controllers, or to the same DMZ Anchor controller with different
wireless LANs. Any user getting placed on the DMZ can use the AAA-override feature to apply
RADIUS Vendor Specific Attributes (VSAs) on a per-session basis.
Guest tunneling provides additional security for guest-user access to the corporate wireless network.
Note
For the example in this deployment guide, the remote and the DMZ anchor controllers are assigned to
the same mobility group. Generally, implementing the guest tunneling feature does not require that the
remote and DMZ anchor controllers be in the same mobility group.
the same mobility group. Generally, implementing the guest tunneling feature does not require that the
remote and DMZ anchor controllers be in the same mobility group.
Table 2
Guest Tunneling Support on Wireless LAN Controller Platforms
Software Release/Platform
3.0
3.2
4.0
Cisco 4100 series wireless LAN controllers
Y
Y
N
Cisco 4400 series wireless LAN controllers
Y
Y
Y
Cisco 2000 series wireless LAN controllers
1
1.
Cannot be used for anchor functions (tunnel termination, web authentication and access control);
however, origination of guest controller tunnels is supported. When a user associates with a service set
identifier (SSID) that is designated as the guest SSID, the user's traffic is tunneled to the DMZ Anchor
controller which can route the traffic to the DMZ network outside of the corporate firewall.
however, origination of guest controller tunnels is supported. When a user associates with a service set
identifier (SSID) that is designated as the guest SSID, the user's traffic is tunneled to the DMZ Anchor
controller which can route the traffic to the DMZ network outside of the corporate firewall.
N
Y
Y
Cisco 6500 series (WiSM)
---
Y
Y
Cisco 3750 series with integrated wireless LAN controller ---
N
Y
Cisco wireless LAN controller module for Integrated
Service Routers
Service Routers
1
---
Y
Y