53-3
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 53 Configuring Wired Guest Access
Information about Wired Guest Access
Converged Guest Access Solution
In the preceding figure, the Cisco Next Generation Wiring Closet (NGWC) device forms the attachment
point for both wired and wireless sessions and provides Layer 2 authentication, where applicable. Wired
session guests on a mobility agent (a foreign device) are directed through a Control And Provisioning of
Wireless Access Points (CAPWAP) tunnel to the wireless controller (the anchor device) in the
demilitarized zone (DMZ). The wired session guests are provided open or web-authenticated access
from the wireless controller. This approach simplifies the management of guest access because only one
network device is provisioned to manage HTTP traffic and serve web pages.
Tunneling wired guest traffic to the DMZ allows the same controller platform to provide
web-authenticated and open access to wired guests also, further simplifying the management of guest
access and ensuring a consistent experience for end users. To activate the CAPWAP tunnel, matching
guest LAN profiles must be configured on foreign and anchor devices.
Authentication, authorization, and accounting (AAA) services are required at the access layer for Layer
2 authentication and, optionally, to direct the device to open a tunnel for a wired client. A DMZ uses
AAA for client guest authentication. The Mobility Controller/Mobility Tunnel Endpoint (MC/MTE)
allows the CAPWAP tunnel to the DMZ to be load-balanced across an array of wireless controllers.
CAPWAP Tunneling
In an enterprise Edge (eEdge) implementation of wired guest access, Control And Provisioning of
Wireless Access Points (CAPWAP) tunneling is implemented as an Enterprise Policy Manager (EPM)
plug-in.
When a tunnel is specified within a user profile or a service template, the EPM invokes the CAPWAP
tunnel. The EPM requests that the Wireless Controller Module (WCM) establish a CAPWAP tunnel for
the session on which the EPM is installed. If the WCM returns an error or indicates unsolicited tunnel
termination at any subsequent point, the CAPWAP tunnel notifies the EPM of failure. The failure results
in an authorization-failure event at the session manager, and a control policy rule can be specified to
determine the failure handling.
IP
CAPWAP
Converged
Access
Mobility Controller (MC) /
Mobility Tunnel
Endpoint (MTE)
Wired Controller DMZ
AAAAAA
Mobility Oracle
Wireless
Controller
CAPWAP
390240
To Next Page
Loading...
Need help?
General
