Cisco Cisco 4404 Wireless LAN Controller 技术参考
16
Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1
OL-13691-01
Web Authentication Process
Web Authentication Using Mobility Anchor Feature on Controller
Guest tunneling provides additional security for guest access to the corporate wireless network, ensuring
that guest users are unable to access the corporate network without first passing through the corporate
firewall. Instead of extending the DMZ virtual LAN (VLAN) to each controller on the network, a Cisco
4100 or 4400 series wireless LAN controller or Cisco WiSM can be used in the DMZ VLAN as an anchor
controller to terminate traffic from remote controllers.
that guest users are unable to access the corporate network without first passing through the corporate
firewall. Instead of extending the DMZ virtual LAN (VLAN) to each controller on the network, a Cisco
4100 or 4400 series wireless LAN controller or Cisco WiSM can be used in the DMZ VLAN as an anchor
controller to terminate traffic from remote controllers.
Internal employee user traffic is segregated from guest user traffic using Ethernet over IP (EoIP) tunnels
and VLANs between the remote controllers and the DMZ controller.
and VLANs between the remote controllers and the DMZ controller.
Guest Tunneling Support on Cisco Products
Guest Tunneling provides additional security for guest access to the corporate wireless network across
most controller platforms (
most controller platforms (
Table 2
Guest Tunneling Support on Wireless LAN Controller Platforms
In guest tunneling scenarios:
•
The user's IP address is administered from the DMZ anchor controller, which has a dedicated VLAN
for guests.
for guests.
•
All user traffic is transported over an Ethernet-over-IP (EoIP) tunnel between the remote controller
and the DMZ anchor controller.
and the DMZ anchor controller.
Mobility is supported as a client device roams between controllers.
Each DMZ anchor controller can support 40 tunnels from various inside controllers. These tunnels are
established from each controller for each SSID using the mobility anchor feature, meaning that many
wireless clients can ride the tunnel.
established from each controller for each SSID using the mobility anchor feature, meaning that many
wireless clients can ride the tunnel.
For a customer with many remote sites, it is now possible to forward different types of guest traffic from
different sites to different DMZ Anchor controllers, or to the same DMZ Anchor controller with different
wireless LANs. Any user getting placed on the DMZ anchor controller can use the AAA-override feature
to apply RADIUS Vendor Specific Attributes (VSAs) on a per-session basis.
different sites to different DMZ Anchor controllers, or to the same DMZ Anchor controller with different
wireless LANs. Any user getting placed on the DMZ anchor controller can use the AAA-override feature
to apply RADIUS Vendor Specific Attributes (VSAs) on a per-session basis.
Guest tunneling provides additional security for guest access to the corporate wireless network.
Software Release/Platform
3.0
3.2
4.0
4.1
Cisco 4100 series wireless LAN controllers
Y
Y
N
N
Cisco 4400 series wireless LAN controllers
Y
Y
Y
Y
Cisco 2000 and 2100 series wireless LAN controllers
1
N
Y
Y
Y
Cisco 6500 series (WiSM)
---
Y
Y
Y
Cisco 3750 series with integrated wireless LAN controller ---
N
Y
Y
Cisco wireless LAN controller module for Integrated
Service Routers
Service Routers
1
---
Y
Y
Y
1.
Cannot be used for anchor functions (tunnel termination, web authentication and access control); however,
origination of guest controller tunnels is supported. When a user associates with a service set identifier (SSID) that
is designated as the guest SSID, the user's traffic is tunneled to the DMZ Anchor controller which can route the
traffic to the DMZ network outside of the corporate firewall.
origination of guest controller tunnels is supported. When a user associates with a service set identifier (SSID) that
is designated as the guest SSID, the user's traffic is tunneled to the DMZ Anchor controller which can route the
traffic to the DMZ network outside of the corporate firewall.