cancel
Showing results for 
Search instead for 
Did you mean: 

MAG with Enterprise Guest licence

Joern_
New Contributor

MAG with Enterprise Guest licence

Hello,

just a short question.

We can restrict the traffic from our guest users to the internal LAN/Internet through the MAG as a Layer-2 device. But what is with bi-directional traffic or traffic from the internet to our guest? I know that there is most of the time a hide-nat after the traffic passed the MAG. But just imagine that we have public IP's in the guest LAN. Is it possible to pass traffic initiated from the internet to the gust LAN? e.g. VoIP or video traffic?

Or another example you have some devices on the external interface of the MAG (Switch, Access Points,...) and you want to administer those devices without an management vlan or something similar.

Is this possible?

 

Thanks for any response

 

Joern

 

4 REPLIES 4
kalagesan_
Super Contributor

Re: MAG with Enterprise Guest licence

Hi Joe,

 

As long as the guest users connect to the MAG using layer 2 connection, its up to the authenticator ( switch or AP)  device to decide which VLAN or IP the  guest user gets. Based on the VLAN asignment it can access and adminster the other devices.

 

Regards,

Kannan

Raveen_
Regular Contributor

Re: MAG with Enterprise Guest licence

I am just wondering why should it be related to MAG/EGA!

Is it not something to be taken care by NAT and route to device that you want to administer?

Joern_
New Contributor

Re: MAG with Enterprise Guest licence

Hello,

maybe just another explanation.

Imagine you have a special room for external supportes. There you have one small switch and the connection to you internal LAN is vie the MAG with Enterprise Guest licence. Because you don't want to open your complete Network for those guys.

In this case the MAG works a little bit like a firewall. If you then need bi-directional traffic because the supporters must use  asoftphone client on their Notebooks, how can we configure this?

I know that it should be easier to implement a real firewall but it juast a intellectual game.

 

Joern

Raveen_
Regular Contributor

Re: MAG with Enterprise Guest licence

Alright, dot1x works at Layer2 and it provides port based security.

In your case if the users are connected to switch, then the users can be assigned to different vlan, say, guest vlan.

 

Your requirement is something to do with firewal but not with MAG.

If you have Juniper SRX firewall, you could integrate UAC/MAG with SRX and meet your requirement.

 

If it is feasible for you to deploy OAC(Odyssey supplicant) client to your external supporters, then you could make use of host enforcer feature available in MAG/UAC. Host enforcer feature is to push ACLs from MAG/UAC to OAC installed client machines

 

Regards,

Raveen


Note: If this answers your question, you could mark this as accepted solution that way it benefits others as well. Kudos will be cool.