Solved: ACL for Guest access -Web Authentication settings

irfanullah-khan_2 · ‎03-15-2011

Hi,

I am trying to restrict guest users only to HTTP/HTTPS traffic, while my guest users are authenticating with internal Web Auth (LobbyAdmin)

When i am Appling following ACL configuration on Interface "GUEST-ACL" - Guest users are getting proper IP-->redirection Web login page--> Authenticated --> but page is not redirecting to requested page Ex: www.google.com

Am I missing any port or protocol in these ACL's, so that- after getting authenticated, page will redirect to desired page.. Please advice

Device info 4402, Codes 7.0.98.0, Web Auth Login- internal

ACL configuration

permit any IP/255.255.255.255 udp dhcp-c dhcp-s any Outbound

-allows any traffic to make a dhcp request

permit IP/255.255.255.255 any udp dhcp-s dhcp-c any Inbound

-allows the dhcp server to respond to the client request

permit any IP/255.255.255.255 tcp DNS any any any

-dns traffic to and from...

permit any any tcp http any any any

-allow http traffic anywhere

permit any any tcp https any any any

-allow https traffic anywhere

Thanks

Stephen Rodriguez · ‎03-15-2011

Irfanullah,

Try changing the DNS ACL from tcp to udp. TCP is used for zone transfers, which the guest shouldn't be doing in your network.

Cheers,
Steve

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Ven Taylor · ‎03-15-2011

Take the controller out of the equation for a second.

Have you tested the subnet itself to see if you can reach google.com?

What does your vlan interface configuration look like?

We have a similar setup. Our router is the DHCP server. We had to define the DNS server (used OpenDNS).

Can you share more of your config?

Regards,

Ven

Ven Taylor

Stephen Rodriguez · ‎03-15-2011

Irfanullah,

Try changing the DNS ACL from tcp to udp. TCP is used for zone transfers, which the guest shouldn't be doing in your network.

Cheers,
Steve

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

irfanullah-khan_2 · ‎03-15-2011

Thanks for reply..

I have tested DNS ACL to TCP & UDP both but it didn’t worked...any other suggestion

Stephen Rodriguez · ‎03-15-2011

when you have connected to the guest network, prior to authenticating, try to do a nslookup www.kmart.com you should see something similar to :

Non-authoritative answer:
Name: e2301.b.akamaiedge.net
Address: 96.16.241.128
Aliases: www.kmart.com
www.kmart.com.edgekey.net

If you don't get a response, then it would seem that the dns resolution is not working correctly.

you can also test by going to http://74.125.225.18 and seeing if you get the redirect page, authenticate and then you should go to the website

Cheers,
Steve

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

irfanullah-khan_2 · ‎03-15-2011

Thanks ..I will try & let you know..soon