Creating guest wireless on WCS 4402

vmagan used Ask the Experts™
Hi guys,

I have the task of creating a guest wireless SSID for my company. We have about 15 Waps on a 4402 WCS. I was told to come up with a procedure of what the steps would be for implementing this project.

I need some advice on what steps to take for this procedure on how would you guys implement this project.

I think I should be creating a test network on the WCS and maybe some Dummy SSID so that I can test out first. I guess I might need some testing vlans too.

Anything that you guys have that you can throw at me please do.

If you have done it before and have a great methodical system that works please share.

I need to be as detailed as possible on this procedure\presentation when submitting this to my manager and upper management.

Thanks in advance!
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

I have implemented lots of Cisco WLANs including Guest services.  The most secure way is always to use a Guest anchor controller in a DMZ, but that is probably way out of scope for your project.  You would probably be better off creating a VLAN which isn't routeable across your network and connect an internet feed to it from your firewall.

Have a read...

Deploying a guest network is different for every network, depending on how you want to control access, how secure you want it to be, where internet will be provided from, etc.  The doc I linked describes how Cisco implemented Guest Wireless at their own office, so it is far more appropriate to refer to thet when trying to convince your boss :-)

There are also some great configuration examples on the Cisco website, but many are a little out-of-date.  The principles still apply though.
What about as far as from a planning point of view? What are some of the steps i might want to put down on paper for a presentation?

I have to get this approved before i can even setup a test environment, which is what they want me to do first. Set it up on a test network and make sure everything is nice and smooth before implementing it.
Top Expert 2014
Ok so first thing is security.  You need to recommend that the Guest network doesn't have a route into your LAN, apart from through your firewall, or a separate firewall.

You need to create a new VLAN on your network, so to ensure you don't allow routing across your LAN you need to specify that the VLAN doesn't have an SVI or routed interface at your core network.

These two points are VITAL in creating a secure Guest network.

Steps to implement...

1] Create an VLAN on your network and add it to your trunks (if necessary).
2] Create an interface on your WLC and set the VLAN ID to whatever your Guest VLAN is.
3] Create an SSID on the WLC for your Guest network and attach it to the Guest interface you created.
4] Configure authentication method for the Guest SSID (Web-Authentication Redirect, PSK, or none).
5] Connect an interface on your firewall to the Guest VLAN.
6] Configure an Internal DHCP scope on the WLC to assign IP addresses to Guests.
7] Create an ACL on the WLC to further restrict access to your LAN (just an extra level of security).
8] Configure a user account on the WLC with LobbyAdmin rights.
9] Create Guest users on the WLC by logging in to the GUI using the LobbyAdmin user you created.
10] Test it!
Thanks for the feedback. I just finished putting together what I thought was a solid doc lol and was drilled with a few more questions.

for user authentication would you guys use Radius Authentication or TacAcs?
Also, my existing hardware is a WCS 4402, Firewall, switch and router. My internal\private wireless network is on the existing 4402. Would I be able to add another network as my guest wireless network with either tacacs or radius authentication on that WCS. Or am i going need more hardware?

Please advise and sorry for the delay in the response.

btw: I read the Cisco doc and it was a good one, but about 6 years old. They were referring to a BBMS that is no longer on the market.
Top Expert 2014

User authentication - RADIUS is for User authentication, TACACS is for ADMIN Authentication.  If they mean would you use a RADIUS server or ACS server, it doesn't matter as long as the server can process EAP-based authentication.  This is a Guest network though, so you'll need to employ a method of securing it without using Certificates or adding configuration to the client's device, therefore RADIUS isn't really used to secure Guest networks - you'd use the Web Authentication method on the WLC instead.

You can add the Guest network to the existing kit without a problem, as long as you have a spare interface on your firewall and can trunk a VLAN across your network.

Apologies if the old link appeared to be irrelevant.  It explains the concept very well though so I thought it would provide some good ammo.
Old link was great and gave me a good starting point and direction. This guest wireless is really for internal employees and they should be authenticating in either radius or tacacs.

Now I have to give a good explanation on which one I think we should use. So you think go with radius?
Top Expert 2014

Yes you should go with RADIUS.  TACACS+ is for authenticating administrative users (when connecting to the switch or WLC to manage it, for example) and not for authenticating normal users.

You can use a TACACS+ server, such as a Cisco ACS, to do the RADIUS though (it does both) if you already have one.  Otherwise Microsoft IAS/NPS will be fine for authenticating your domain users.  

You will need an existing PKI in place first though if you want to use RADIUS to authenticate users.
I do have a cisco ACS in place, which we use for admin authentication to our switches (just like you stated above).

Would you use the Cisco ACS or Radius?
Top Expert 2014

The ACS is ideal... you can link it to your Active Directory easily.
Ok I will go with the ACS. Thanks for all your help.

One last thing. Will this still be considered Radius authentication or ACS authentication?
Top Expert 2014

When users connect to the wireless network this will be RADIUS authentication.  When an administrator connects to a switch and enters his/her username this will be TACACS authentication.

you were awesome.

Thanks man. Once I have put this wireless network together I will respond here and give you an update.

Thanks again

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial