Tunnel Guest ssid Traffic with HQ keeping ISE guest portal

Comes here often

Tunnel Guest ssid Traffic with HQ keeping ISE guest portal




We are using Cisco Legacy WLC setup within our environment. For guest we are using WLC anchor ( sit within DMZ) solution to segregate guest ssid traffic from corporate traffic. ISE is placed within DMZ, which is pushing self registration/ sponsor page  for guest and this work fine. Now we are moving towards meraki and management request the same setup for Meraki as well. We have requirement to isolate guest ssid traffic by having guest ssid tunnel with Mx appliance in DMZ, which is quite clear. However, i am confused with role of ISE within DMZ segment, that how ISE will push radius attribute over the tunnel. 


Traffic flow is as follows.


Guest --- Guest ssid ( Tunnel)------Branch Gateway ------MPLS Cloud-----DC--DMZ---MX Appliance (Tunnel with guest ssid)-----Internet.


We need to have similar setup like legacy controller, where ISE is pushing guest login pages.

What is the best way to isolate guest traffic all the way from branch to DMZ and keeping ISE as self registration.

We do not have internet at branches.


3 Replies 3
Kind of a big deal
Kind of a big deal

The Meraki guest support is so great - their probably isn't any point to using Cisco ISE.


This article discusses using Cisco MR and ISE together.



If you are using sponsored access then here are the instructions on how to use this using the built in Meraki capability:



Here is another approach using a simpler splash page.



You could also have a stash of pre-printed PIN cards held at reception to give to guests to provide access.  This uses the billing engine and the pre-paid mode, but the value is set to nothing.




Typically you don't use the "old" WLC approach of tunneling to the DMZ.  Typically you just create a VLAN(s) for the guests, and have the SSID drop them into that network.  That VLAN typically terminates on a firewall somewhere and that controls access.

I say "old" approach - because when I challenge people on why they do this they don't usually have a good answer.  Often I get reasons like that is how it was done before.  Time to embrace change and a better way.



But if you really can't bare to change, then yes, you'll need to tunnel the SSID to an MX in the DMZ.  The MX will need to be running in VPN concentrator mode.



Thank you for response, even tough after posting question i found similar posts where i find similar answer as you mentioned in response to my query.


Regarding old design, the problem is about mind set and past investment done in other hardware's/technologies.


the only last thing, i need to know. Can i redirect guest user to ise portal (ISE placed in HO DMZ segment) having  Guest ssid tunnel  to MX appliance ( Sit in DMZ with concentrator mode).



Kind of a big deal
Kind of a big deal

I have heard of people using ISE for this - but I don't know how it is done.


I suspect it is done using CoA (change of authorisation).


I found this guide for using Cisco ISE for centralised guest authentication.


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.