First we create a new VLAN. In this example it'll be vlan 42. The new guest-network will be 192.168.1.0/24, with the ASA being 192.168.1.1.
interface Vlan 42
description my guest network
nameif guest-network
security-level 0
ip address 192.168.1.1 255.255.255.0
mtu guest-network 1500Add it to a trunk interface of your choosing. Let's assume Ethernet0/2.
interface Ethernet0/2Let's configure a DHCP server, too.
switchport trunk allowed vlan x,y,z,42
switchport trunk native vlan x
switchport mode trunk
dhcpd address 192.168.1.100-192.168.1.200 guest-network
dhcpd dns 8.8.8.8 interface guest-network
dhcpd enable guest-network
So much for the basic setup.
Of course we want to NAT traffic from the guest-network on the outside interface. On any standard setup you'll have a global pool in place already.
nat (guest-network) 1 192.168.1.0 255.255.255.0To actually allow traffic across interfaces with the same security level you also have to specify this.
same-security-traffic permit inter-interface
Because the ASA injects its own authentication into HTTP(S) requests, we want the client to be able to use DNS without authentication. Then when HTTP is used the authentication form will pop up.
First, let's create a new local user on the ASA called guest-network.
username guest-network password 12345678 privilege 1Of course you are not limited to local users. You could use any AAA mechanism that's supported. For simplicity's sake let's stick to a single local user account here.
username guest-network attributes
service-type remote-access
Next let's set up the authentication rules.
aaa authentication match guest-network_authentication guest-network LOCAL
access-list guest-network_authentication extended deny udp any any eq domain
access-list guest-network_authentication extended permit ip any any
The ACL might seem backward, because it denies DNS and permits everything else. What it does is actually deny authentication for DNS, meaning access without authentication is granted.
The only thing left is to adjust the authentication timeout. The default timeout is 5 minutes. Unless you want whoever is on the guest-network tu re-authenticate every 5 minutes, adjust it like this:
tiemout uauth 3:00:00 absoluteThe uauth timeout cannot be greater than the xlate timeout, which defaults to 3 hours. If that's not enough you have to increase the xlate timeout. Make sure you understand the implications of this parameter before changing!
Admittedly, firmware v8.2 is not current, but the steps should work on 9.1 just as well. Keep in mind that the ACL syntax has changed in 8.3.
No comments:
Post a Comment