Help -- Segmenting and Controlling Wireless Guest Networks
Danielh22185
Member Posts: 1,195 ■■■■□□□□□□
So I recently moved to a new company where the wireless infrastructure appears to have a lot of holes. I've been here just a hair under 2 months and am finding issues left and right. Which for me I welcome the challenge, especially when it comes to wireless since this is less than one of my strong suits.
So... Yesterday a user called into our service-desk with a complaint they could not connect wirelessly. Upon checking out the user I found they were not getting an IP address.
Background: This is a flex-connect site with local DHCP scopes local to the site.
... So after checking out the switch where the WAPs sit I found there was address exhaustion on the wireless range. Naturally to relieve some pressure I was able to expand the range with no issues. However this got me and my manager thinking... The site does not have any where near the number of users that would exhaust the internal DHCP scope.
Today I am giving this a deeper look and found the problem oh why exhaustion was occurring. The wireless DHCP range includes our guest network AND the corporate network. Big time uh oh... There should be some network seperation (one scope for each WLAN)
So basically this site is operating unsecure and anybody with their cellphone can join the network and effectively the corporate environment with what seems to have no restriction.
So I compared a setup on our other regional controller for a flex connect site. It is different (I think built by a separate network engineer as well). Different by it has a separate DHCP scope for the normal corporate users and for the guest network on the switch. So we at a minimum have separation of networks for the two WLANS. I also confirmed this by checking the WLC config for the WAP and it supports VLANs and there are separate vlans for the separate corporate and guest networks (this is what I would expect).
Now one thing that throws me and here is really where my question is. Aside from separation of subnets, I am trying to figure out just how exactly these guest network users would be restricted from internal resources. I found a video on youtube (from 2013) where it explains having to configure flex connect ACL to control traffic. However we are not doing this. So I hope we are doing something else. We DO use NAC for user ports which I think we are also using some form of AAA for wireless clients too...somehow. How that provides a separation of user access based on guest vs normal corporate access is a bit beyond my understanding at this point.
So at this point I have been pouring over Cisco documentation and youtube videos trying to figure it out. However a lot of what I have come across is old documentation. I am hoping our setup is more modern and utilizes simple stuff I don't quite understand yet. That said my MAIN questions are: What methods are out there that provide guest network separate of access and exactly how would those be expected to work. (I believe the youtube video I found is more of a legacy setup before NAC servers, which I know we have, so I think I need to be looking for something in that regard, but I don't know where else to be looking.
I know we have some wireless gurus here and I know I am kind of asking some open ended stuff but any help at this level would be appreciated. Unfortunately the more senior engineer at the company isn't much help and I am not entirely sure he knows how it all works. I want to understand everything here and be able to make design recommendations since our wireless infra has been a big pain point.
So... Yesterday a user called into our service-desk with a complaint they could not connect wirelessly. Upon checking out the user I found they were not getting an IP address.
Background: This is a flex-connect site with local DHCP scopes local to the site.
... So after checking out the switch where the WAPs sit I found there was address exhaustion on the wireless range. Naturally to relieve some pressure I was able to expand the range with no issues. However this got me and my manager thinking... The site does not have any where near the number of users that would exhaust the internal DHCP scope.
Today I am giving this a deeper look and found the problem oh why exhaustion was occurring. The wireless DHCP range includes our guest network AND the corporate network. Big time uh oh... There should be some network seperation (one scope for each WLAN)
So basically this site is operating unsecure and anybody with their cellphone can join the network and effectively the corporate environment with what seems to have no restriction.
So I compared a setup on our other regional controller for a flex connect site. It is different (I think built by a separate network engineer as well). Different by it has a separate DHCP scope for the normal corporate users and for the guest network on the switch. So we at a minimum have separation of networks for the two WLANS. I also confirmed this by checking the WLC config for the WAP and it supports VLANs and there are separate vlans for the separate corporate and guest networks (this is what I would expect).
Now one thing that throws me and here is really where my question is. Aside from separation of subnets, I am trying to figure out just how exactly these guest network users would be restricted from internal resources. I found a video on youtube (from 2013) where it explains having to configure flex connect ACL to control traffic. However we are not doing this. So I hope we are doing something else. We DO use NAC for user ports which I think we are also using some form of AAA for wireless clients too...somehow. How that provides a separation of user access based on guest vs normal corporate access is a bit beyond my understanding at this point.
So at this point I have been pouring over Cisco documentation and youtube videos trying to figure it out. However a lot of what I have come across is old documentation. I am hoping our setup is more modern and utilizes simple stuff I don't quite understand yet. That said my MAIN questions are: What methods are out there that provide guest network separate of access and exactly how would those be expected to work. (I believe the youtube video I found is more of a legacy setup before NAC servers, which I know we have, so I think I need to be looking for something in that regard, but I don't know where else to be looking.
I know we have some wireless gurus here and I know I am kind of asking some open ended stuff but any help at this level would be appreciated. Unfortunately the more senior engineer at the company isn't much help and I am not entirely sure he knows how it all works. I want to understand everything here and be able to make design recommendations since our wireless infra has been a big pain point.
Currently Studying: IE Stuff...kinda...for now...
My ultimate career goal: To climb to the top of the computer network industry food chain.
"Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
My ultimate career goal: To climb to the top of the computer network industry food chain.
"Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
Comments
-
Legacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□I am no wireless guru by any means but by recommended design we have our guest network on an anchor controller in the dmz zone between firewalls. The corporate controller gets the hosts and sends a capwap tunnel over to the anchor controller in the dmz to forward the guest traffic. I attached a pic from ciscos design page which is bascially shows a visual on how it flows.
-
Danielh22185 Member Posts: 1,195 ■■■■□□□□□□Our wireless topology is a bit less sophisticated. We only have 2 controllers globally that maintain 53 WAPs. We do not have the budget for anchor controllers so this is why I am thinking / hoping something else has been done to keep the traffic segmented.Currently Studying: IE Stuff...kinda...for now...
My ultimate career goal: To climb to the top of the computer network industry food chain.
"Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi -
Legacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□Based on the lack of information I'd say to deconstruct the wireless and break it down piece by piece so you can understand how it works. Start from the remote site thats properly configured with the flexconnect take a look at the config. Do a source ping from the guest network and see how far it goes on the corp side. Once you see where it stops check out the network device to see if there are any acl's. It would make sense if any acl's were closer to the source check the flexconnect AP, local Distribution switch or router, possible firewall for any acl's the acl can look like this.
deny guest network -> corporate network
permit all
To add it could be vrf's configured that separate the netorks