I run wireless IB virtual gateway and it works pretty well. IMHO this is one of the few bright spots with this product.
I set up a separate DHCP server because I route multiple vlans through the CAS (and I guess in this mode, it is the only choice given on the DHCP setup screen, at least it is on mine). This allows me to provide complete information to each DHCP client, also. Plus for those headed to my corporate lan I can route their DHCP to my corporate Active Directory DHCP servers which saves a lot of work. I use different wireless networks (SSID, etc) for different roles and each wireless network is assigned it's own vlan by the WAP. I use RADIUS authentication and MSCHAP v2 for attaching to the VLAN for my corporate vlan and a simple WPA pre shared key to provide internet only access to visitors. We are in a rural area and if somebody wants to park in the cow pasture or in front of the FFA pig farm to steal some bandwidth, I guess that's not the worst thing in the world. They won't get on my corporate LAN without going through NAC and authentication. Setting up RADIUS was a bit tricky as I needed to route RADIUS traffic to my RADIUS server and set up rules in the firewall to allow it from the auth LAN to the RADIUS server. My corporate users are set up with SSO which was a PAIN to set up in Clean Access, but if you don't have too many DCs and you follow the Cisco instructions EXACTLY, NOT SKIPPING OR CHANGING ANYTHING, they work great. Kudos to whoever wrote the instructions for setting up SSO. BTW, I may still have my copy of the instructions if you need them. Make sure you enter each vlan from your WAP tin the managed subnet screen. Also enable VLAN mapping and add the mapping for your topology. I also had to add (and this was weird) a specific route to my corporate (access vlan) via the UNTRUSTED link on the static route screen. I also added /32 routes to my AD servers via the TRUSTED link. That ensured that authentication traffic reached the AD servers, but no other untrusted user traffic would. I learned that after working with TAC. For my AD servers I have a gateway entry (the address of the firewall) but for my untrusted route I have none. Finally I entered the proxy server ports in the Proxy screen, but not the IP of the proxy server (which is also my firewall and default gateway out to the world). I provide the gateway address via DHCP. I set this up a long time ago, and some of it looks weird now even to me. Also this was set up on version 3.8. It still works on version 4.5 but I do not know if it is (or ever was for that matter) a recommended practice. It works for us. We give visitors our pre shared key, and they have internet access via wireless quicker and easier than at most hotels. The only ones I have problems with are people who have preexisting proxy settings in their browser, and that is easy to fix. A caveat, wireless users are unauthenticated before they are logged in and remediated, so be careful of the traffic filters you set up in your unauth role. I accidentally bypassed all wireless authentication for a few days while working on OOB VG set up for wired clients (which is NOT a bright spot of this product, but that is another story). To quote Christopher Walken, "Whoops." In summary, the hard parts (for me) were getting the WAP properly provisioned for RADIUS authentication, getting the unauth and auth traffic routed properly (that hung me up FOREVER, the static routes fixed that). The rest was pretty easy. Good luck, Dan Sichel Ponderosa Telephone
