topic guest access list in Wireless

guest access list

mohammad abdul jawad — Sun, 04 Jul 2021 04:48:33 GMT

i have controller 5508

i configure vlan 10 for guest and name guest-inter

ip 10.0.10.2/24

default gateway 10.0.10.254 ( ip address fo core switch)

dhcp server ( 10.20.10.10/24) ( ip dhcp server is the same ip for DNS server )

i create ssid name gest and choose interface guest-inter and choose web authentication

also there is blue coast proxy for internet 10.30.10.10/24

i need guest user to access internet only

what the access list need to apply for guest in the WLC to permite internet only

i configured the access list in the controller and applied in the guest-inter interface

1- permit any any udp (source port dns) ( destination port any) (direction any )

2-permite any any udp ( any ) ( dns) (any)

3- permite any 10.20.10.10 ip any any any

4-permite 10.20.10.10 any ip any any any

5-permite any 10.30.10.10 ip any any any

6- permite 10.30.10.10 any ip any any any

i put user name and password for guest and disply page access sucessful and stop

after that i can not access internet

please advice me

guest access list

nikhilcherian — Sat, 17 Mar 2012 04:49:15 GMT

I would rather put an ACL to block the inside access, as given below

permit ip any 10.30.10.10 ( here you can give a mask of 255.255.255.255 and specificallly the proxy port)

permit ip any 10.20.10.10/24 ( ( here you can give a mask of 255.255.255.255 and the DNS port )

deny ip 10.0.10.2/24

permit ip any

What is the image that you are using in the WLC, if the build is above 7.0.116.0 enable "WebAuth Proxy Redirection Mode" from the Controller page

Thanks

NikhiL

guest access list

George Stefanick — Sun, 18 Mar 2012 18:10:03 GMT

You need to identifiy your interfaces in the WLC as inbound and outbound. I just did a number id ACLs on the WLC for ISE and I had the same problem. Once I added the inbound and outbound life was good. Give that a shot.

guest access list

mohammad abdul jawad — Mon, 19 Mar 2012 00:20:36 GMT

I worked by the same things you mentioned but unfortunately the same thing ther is no changing .
Please if you have practical technical document for guest access-list send to me

or advice me .

thanks

Re: guest access list

Stephen Rodriguez — Mon, 19 Mar 2012 00:56:36 GMT

Whatever you allow out, you need to explicitly allow back in as well. Unlike applying the acl to a svi where you only need one way.

That being said. I'd put the acl on the gateway svi instead if on the WLC.

Steve

Sent from Cisco Technical Support iPhone App

Re: guest access list

mohammad abdul jawad — Mon, 19 Mar 2012 07:06:15 GMT

I applied the access list in two directions, even before the possible but i forget to mentioned in my previous letter
I will try to apply in the layer 3 core switch and i will tell you the result .