Hi
This could be posted under guest, but it's more of a general design issue than providing and authenticating guest access.. I could use your input on how to accomplish this.. The essence is that we go from an internal captive portal to Clearpass and at the same time introduce a new ISP/internet connection that only the guests should use. Tried to separate the Guest network as much as possible.
I've read through the VRD's, but can't say that this is covered there.
The scenario is as follows.
Current setup
- Master-standby 3600
- MGMT and default gw - VLAN 23
- Layer 3 for Employee - VLAN 13
- Layer 2 for Guests - VLAN 18
- The Controller terminates both CAP and RAP's.
- Controller is Captive Portal and DHCP for Guests
Both guests and employee surf via same internet connection. RAP's establish tunnel through the same connection.
Needed setup
- Master-standby 3600
- Layer 3 for Employee - VLAN 13
- MGMT and default gw - VLAN 23
- Layer 2 for Guests - VLAN 64
- The Controller terminates both CAP and RAP's.
- New ISP connection for Guests - VLAN 38
- Clearpass Guest is Captive Portal and guest authentication server. Recides in VLAN 64
Guests should surf through a new ISP connection established on VLAN 38.
Employee should continue to surf through the connection established on their gateway in VLAN 13.
What's the best way to implement this?
Is it viable, or should we go about this differently?
In what VLAN should the controllers default Gateway be?
Where should I place the Clearpass - and should we use both MGT and LAN interfaces?
What kinda of static routes should I use?
The things we've done haven't really worked out.
We changed the default gateway for the controller to vlan 38, but then all our RAP's stopped working. They came in through vlan 23, but controller sendt the traffic out on vlan 38 so that was no good.
#3600