53-2
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 53 Configuring Wired Guest Access
Information about Wired Guest Access
• Wired guest access works on Supervisor Engine 8-E in wireless mode only.
• Tunneling of wired clients is not supported when the client is attached to a port at the Cisco Next
Generation Wiring Closet (NGWC) device that is configured for open mode.
• Tunneling of wired clients is not supported after successful web authentication at the NGWC device
because automated IP address reassignment is not supported after web-authentication.
• The NGWC device supports network access only via the tunnel based on the web authentication that
occurs at the controller.
• The Network Advertisement and Selection Protocol (NASP) is not supported for wired clients.
• High availability is not supported for wireless sessions. If the wireless controller fails while
providing tunneled guest access for a wired client, the state is not automatically recovered.
• Inactivity aging is not enforced for a wired client that is provisioned to the wireless controller; for
example, within a RADIUS Access-Accept request that is received after web authentication is
performed at the controller.
Information about Wired Guest Access
Wired Guest Access Overview
Enterprise networks that support both wired and wireless access need to provide guest services that are
consistent across the two access media, from a perspective of both client experience and manageability.
For wireless networks, guest traffic from a mobility anchor device is directed typically through a Control
And Provisioning of Wireless Access Points (CAPWAP) tunnel to an array of controllers in the
demilitarized zone (DMZ), where either web-authenticated access or open access is provided. Wired
guest traffic can also be backhauled to the DMZ using more traditional tunneling mechanisms like
Generic Routing Encapsulation (GRE). The Cisco Next Generation Wiring Closet (NGWC) platforms,
with converged wired and wireless access, can extend CAPWAP tunneling to wired guests also, allowing
for very similar handling at the controller platform (in the DMZ) and reducing the provisioning
overhead.
However, security remains an issue because it is not possible to determine, prior to authentication,
whether a wired client is a guest or requires access to the corporate network. Consequently, the decision
to tunnel a wired client’s traffic to the DMZ cannot be made with the certain knowledge that the client
is a guest.
Due to the lack of network selection for wired clients, open mode cannot be supported with guest
tunneling. Open mode is when an IP address is allocated as soon as a client connects to the access switch.
Once the client is connected via a tunnel, it must be reassigned an IP address from a subnet provisioned
at the DMZ, before web authentication can be attempted.
To Next Page
Loading...
Need help?
General
