I have a Cisco 5508 WLC with a guest network set up on it. The WLAN uses local authentication and grants access through an ASA to the Internet.
I just found out that the customer now wants to limit where wireless clients can go on the Internet by URL, etc. Since the wireless clients have to use the WLC as a proxy in order to join the network, I am not sure the best way to accomplish this.
How is this typically done in a reasonable and economical manner?
You will need a content filter. If there is not too many users/bandwidth then you could use a Meraki MX60 ($495 list) or MX80 ($1995) to filter the traffic.
Since the wireless users have to use the WLC for a proxy, how would the Meraki filter URLs?
Can it do wccp? Some kind of transparent proxy function?
The WLC only does the proxy for the Web-auth, after the user has successfully authenticated there is no more proxy. Be careful when setting up web filtering for Web-auth if the web page the station is trying to hit can not be resolved by DNS then the Web-auth page will fail to come up.
I hope this helps.
For this case we have option CPU ACLs
this feature were introduced with WLC firmware release 4.0.
Go through below link for further configuration detail.