Cisco SD-Access deployments with guest wireless

© 2020 Cisco and/or its affiliates. All rights reserved. 
Page 53 of 76
encapsulated right from the fabric edge node to the Guest Border/Control Plane node in the DMZ, providing 
total isolation from enterprise data traffic. 
For more information, see the Software-Defined-Access Solution Design Guide, at 
https://cs.co/sda-sdg
. 
Cisco Catalyst 9100 Series EWC deployments guest wireless 
Cisco Catalyst 9100 Series EWC deployments do not support a dedicated guest anchor wireless controller. As 
with FlexConnect locally switched deployments, the guest WLAN/SSID can be locally switched to a VLAN within 
the branch which provides direct Internet access (DIA). 
All guest wireless deployments—authentication and access control 
Regardless of the wireless deployment option, the wireless guest network typically provides the following 
functionality: 
● 
Provides Internet access to guests through an open wireless SSID, with web authentication access 
control. 
● 
Supports the creation of temporary authentication credentials for each guest by an authorized internal 
user. 
● 
Keeps traffic on the guest network separate from the internal network in order to prevent a guest from 
accessing internal network resources. 
Most organizations’ IT departments choose to have guest wireless users authenticate first, before allowing 
access to the Internet. This step is sometimes accompanied with the guest user reading and agreeing to an 
acceptable use policy (AUP) or end-user agreement (EUA) before accessing the Internet. Since the 
organization’s IT department typically has no control over the hardware or software capabilities of guest 
wireless devices, the authentication and authorization decision is often based on only a guest userid and 
password. In other words, the device with which the guest is accessing the network may not be considered for 
any policy decision. A typical way of implementing guest user authentication is through the guest user’s web 
browser, a method known as web authentication or WebAuth. With this method of authentication, the wireless 
guest must first open his or her web browser, or mobile app with embedded browser, to a URL located 
somewhere within the Internet. The browser session is re-directed to a web portal that contains a login page 
that requests login credentials. Upon successful authentication, the guest user is either allowed access to the 
Internet or redirected to another web site. This authentication method is also known as a captive portal. 
There are multiple ways of authenticating guests on WLANs, such as the following: 
● 

Download 2,16 Mb.

Do'stlaringiz bilan baham: