just a short question.
We can restrict the traffic from our guest users to the internal LAN/Internet through the MAG as a Layer-2 device. But what is with bi-directional traffic or traffic from the internet to our guest? I know that there is most of the time a hide-nat after the traffic passed the MAG. But just imagine that we have public IP's in the guest LAN. Is it possible to pass traffic initiated from the internet to the gust LAN? e.g. VoIP or video traffic?
Or another example you have some devices on the external interface of the MAG (Switch, Access Points,...) and you want to administer those devices without an management vlan or something similar.
Is this possible?
Thanks for any response
As long as the guest users connect to the MAG using layer 2 connection, its up to the authenticator ( switch or AP) device to decide which VLAN or IP the guest user gets. Based on the VLAN asignment it can access and adminster the other devices.
I am just wondering why should it be related to MAG/EGA!
Is it not something to be taken care by NAT and route to device that you want to administer?
maybe just another explanation.
Imagine you have a special room for external supportes. There you have one small switch and the connection to you internal LAN is vie the MAG with Enterprise Guest licence. Because you don't want to open your complete Network for those guys.
In this case the MAG works a little bit like a firewall. If you then need bi-directional traffic because the supporters must use asoftphone client on their Notebooks, how can we configure this?
I know that it should be easier to implement a real firewall but it juast a intellectual game.
Alright, dot1x works at Layer2 and it provides port based security.
In your case if the users are connected to switch, then the users can be assigned to different vlan, say, guest vlan.
Your requirement is something to do with firewal but not with MAG.
If you have Juniper SRX firewall, you could integrate UAC/MAG with SRX and meet your requirement.
If it is feasible for you to deploy OAC(Odyssey supplicant) client to your external supporters, then you could make use of host enforcer feature available in MAG/UAC. Host enforcer feature is to push ACLs from MAG/UAC to OAC installed client machines
Note: If this answers your question, you could mark this as accepted solution that way it benefits others as well. Kudos will be cool.