Wireless Access

Hello Guys

Right now we have a client which has the fallowing scenario:

Version 6.x

2x Master Controllers in the central site master stand by, it has a VRRP ip

they have like 15 remote Site

Each Site  has  one controller  in which they terminate their APs 

For example Site A  has 15 APs and all the 15 APS terminate their tunnel in  that controller

So its Master active  Master Stand By

15 remote Sites( all local controllers)

1x DMZ Controller in the Central site which has an internet for all the guest of all the 15 sites

Each  Remote Site has a GRE Tunnel for the Guest traffic that points to the  Central site controller VRRP IP  and  the central site controller has a GRE Tunnel to the DMZ .   im passing the vlan 800 which is my Guest traffic and that vlan just exist in the controllers, it does not exist in the clients networks and is not rouatable.

My question is simple i think

Can  i do the same scenario in Version 8?

It is recommended this in version 8?

There is a better way to manage this in version 8?

Cheers

Carlos

I don't see a reason why this design would not be doable with AOS8.

My preference would be to have the remote sites tunnel directly to the DMZ controller, rather than hopping through the central controllers. I would either do user roles for guest users at the edge controller or at the DMZ controller, but having the user pass through the central controller does not add any functionality.

Hello Charlie Thanks for your answer

If you do what you say,  would my guest  users will show up in the WLAN controllers? i mean it would not show as a wired user on the dmz controller?

The way i got it right now will correctly show what APs guest users are connected to in  Airwave which is nice.

Also i don t know if i should use multizone here, if it will benefit me in some way?

Cheers

Carlos

I guess i didnt type that i got master active and master stand by, and all the 15 sites are local controllers,  i just corrected that in my original post.

Multizone is probably not needed, but is an option. With multizone, the APs themselves (rather than the gateways) so that the guest SSID would tunnel directly from the AP to the DMZ controller without touching the datapath on the internal controllers.

Where are you doing user authentication for the guest users in your current setup? I'm assuming captive portal, but not sure whether the captive portal is internal to the controller, external, or reachable specifically from the inside or DMZ controllers.

im doing the authentication on a clearpass.

The clearpass can reach the controllers, and controllers and reach clearapass  for specific ports i need only.

Forgot to comment you that im using both interfaces  Managment and data

The Managment is on the trusted zone and the data port is on the DMZ of the client.

You mentioned that the DMZ controller sees the guest users as wired users? So the DMZ controller is not trusting the GRE tunnel from the master controllers?

I didnt mention, i was asking you,  i did say "The way i got it right now will correctly show what APs guest users are connected to in Airwave which is nice", but before asked you if the guest will show  correctly in the WLAN controllers and if it will not show as a wired user on the dmz controller

Sorry, i guess you have hard time reading my english, is not the best.

I though or i misunderstood what will happen with the guest clients, this was like 4 years ago.

I could change them all in this new project  to the DMZ controller if you think its best way to do it

It there any issue having it the way i got it??  i really would like to know that as future reference.

Thanks again for answering

My apologies for the confusion.

When tunneling guests, the authentication could be handled either at the remote controller where the APs terminate (my preference), or on the DMZ controller. There are valid reasons for having the authentication performed on either of the controllers ... the DMZ may be the only controller that has IP routing for the guest user space. 

If Airwave is correlating the guest user to an AP, then I believe the remote controllers are performing the authentication. This would also be fine in the AOS8 architecture as well, and would be my preference.

Hello Charlie thanks for answering

Right now im tunneling the the Guest vlan to the Master controller in the central site, and i got another tunnel from  the central site to the DMZ

Now for the authentication, i should be authenticating them on the Local controllers(remote controllers) because im on the clearpass adding the local controllers as NADs, to make it work, if i dont add them, well it does not work.

Now is there any issue if i tunnel the GRE to the master controller instead of the DMZ directly?  i see that you said that it does not add any functionality but i was wondering if it bad somehow.

All good info, thanks for the clarification and verification.

Tunneling through the master controller is not bad. It adds an extra failure point, although you have mitigated that with a standby master. There could be extra complexity in the configuration and troubleshooting, but as it is working for you now, that is all okay.

Thank you for your patience Charlie!

thanks for your answers too