Hi everyone. I'm looking for some advice on deploying a new corporate and guest wifi setup in branch and campus locations with ClearPass being used for authentications and for the guest captive portal.
The plan is to have a small local controller for each branch and a pair of larger controllers for the campuses running AOS8.x. These would talk back to Mobility Masters sitting in the DC where ClearPass, DNS, DHCP all live. Each site is also going to have its own internet connection so the company would like internet bound traffic to egress out locally and everything else going back to the DC that's internal. I think I have the corporate wifi stuff all figured out in my head in terms of routing and authenticating back to ClearPass. What I'm not too clear on is how can I serve the same guest wifi experience for these locations?
I want to have the captive portal sitting on our internal ClearPass in the DC (not on the local controllers) but if I assign a local, non-routable subnet for the guests, how will their device route over to the DC to register? Egressing out to the local internet seems like it would be simple enough meaning their packets don't have to go to the DC for anything. DNS would be external so it follows a default route towards the firewall for NATing.
Maybe I'm not knowledgeable enough on how to set this up as I'm still fairly new to this but I'm sort of stuck just at the solutioning phase on how this would work. An alternative that's been brought up is to continue with the DMZ controllers we currently use for guest and have the local controllers tunnel back to them but this doesn't work if the requirement is to force all internet traffic (corp & guest) out locally and not the DC's internet pipes.
Appreciate any tips or recommendations. Thanks.