Cisco Cisco IOS XE 3.5E Release Notes
4
Release Notes for Cisco 5700 Series Wireless LAN Controller, Cisco IOS XE Release 3.7.xE
What’s New in Cisco IOS XE Release 3.7.3E
guest controller manages the client traffic. Foreign controller is the primary switch where a client
connects for network access; it also initiates tunnel requests. Guest anchor is the switch where a client
gets anchored.
connects for network access; it also initiates tunnel requests. Guest anchor is the switch where a client
gets anchored.
Before the guest access feature can be deployed, a mobility tunnel is established between the foreign
anchor and guest anchor switches. The guest access feature works for both MC (Foreign Controller) to
MC (Guest Anchor) and MA (Foreign Controller) to MC (Guest Anchor) models. The foreign anchor
switch trunks wired guest traffic to the guest anchor controller. Multiple guest anchors can be configured
for load balancing. The client is anchored to a DMZ anchor controller. It is also responsible for handling
DHCP IP address assignment and authentication of a client. After the authentication is completed, the
client is able to access the network.
anchor and guest anchor switches. The guest access feature works for both MC (Foreign Controller) to
MC (Guest Anchor) and MA (Foreign Controller) to MC (Guest Anchor) models. The foreign anchor
switch trunks wired guest traffic to the guest anchor controller. Multiple guest anchors can be configured
for load balancing. The client is anchored to a DMZ anchor controller. It is also responsible for handling
DHCP IP address assignment and authentication of a client. After the authentication is completed, the
client is able to access the network.
Deployment Scenarios
The following sections describe common scenarios where the wired clients connect to access switches
for network access. Two modes of access are explained with different examples. In both the methods,
the wired guest access feature can act as a fallback method for authentication. This is typically a scenario
where a guest user brings an end device that is unknown to the network. Since the end device is missing
endpoint supplicant, it will fail the dot1x mode of authentication. Similarly, MAC authentication bypass
(MAB) will also fail, as the MAC address of the end device is unknown to the authenticating server. It
is worth noting that in such implementations, corporate end devices successfully get access to network
as they would either have a dot1x supplicant or MAC addresses in the authenticating server for
validation. This enables flexibility in deployment, because the administrator does not have to restrict and
tie up ports specifically for guest access.
for network access. Two modes of access are explained with different examples. In both the methods,
the wired guest access feature can act as a fallback method for authentication. This is typically a scenario
where a guest user brings an end device that is unknown to the network. Since the end device is missing
endpoint supplicant, it will fail the dot1x mode of authentication. Similarly, MAC authentication bypass
(MAB) will also fail, as the MAC address of the end device is unknown to the authenticating server. It
is worth noting that in such implementations, corporate end devices successfully get access to network
as they would either have a dot1x supplicant or MAC addresses in the authenticating server for
validation. This enables flexibility in deployment, because the administrator does not have to restrict and
tie up ports specifically for guest access.
The figure below shows the topology used in this deployment scenario:
Figure 1-1
Wired Guest Access with Cisco 5760 WLC as Both Guest Anchor and Foreign
Controller
Controller