11-22-2010 07:10 AM - edited 07-03-2021 07:27 PM
Hi Folks, Our wireless deployment has two wireless networks - one with 802.1x auth for corporate machines and the other is an open one with internet access for guests (but with a web auth page).
What I'd like to do is allow staff to connect their Blackberry handsets to the guest (open) wireless network to collect email from the Blackberry Enterprise Server (it's a lot easier that configuring 802.1x and getting users to roll their passwords each time), I think I can work around this with a pre-authentication ACL to bypass the webauth page for access to the Blackberry Enterprise Server, but I'm a bit confused over the direction of the access list entries. If I added an access list to the WLC which looks like the below - would that work or is the directionality wrong?
The example for the external webauth server I saw had the directionality the otherway around.
Action Source IP/Mask Destination IP/Mask Protocol Source Port Dest Port DSCP Direction
Permit 0.0.0.0 / 0.0.0.0 [the ip of my BES] / 255.255.255.255 IP Any Any Any Outbound
Permit [the ip of my BES] / 255.255.255.255 0.0.0.0 / 0.0.0.0 IP Any Any Any Inbound
Any advice that you can provide would be great
Thanks in advance
Kev
Solved! Go to Solution.
11-22-2010 11:08 AM
Never underestimate the help menu ;-)
Direction | Any, Inbound (from client), or Outbound (to client). |
I think that this description is straighforward.
But you will probably notice that your blackberries are disconnected every 3 minutes from your SSID. I don't know if this is something they can tolerate.
Pre-auth ACL is made to give access to some ressources needed to authenticate on the web login page. Not to bypass it completely. So the WLC is kicking out clients that are connected since 3 minutes on the Webauth SSID but not autheneticated on the web page ...
Nicolas
===
don't forget to rate answers that you find useful
11-22-2010 11:08 AM
Never underestimate the help menu ;-)
Direction | Any, Inbound (from client), or Outbound (to client). |
I think that this description is straighforward.
But you will probably notice that your blackberries are disconnected every 3 minutes from your SSID. I don't know if this is something they can tolerate.
Pre-auth ACL is made to give access to some ressources needed to authenticate on the web login page. Not to bypass it completely. So the WLC is kicking out clients that are connected since 3 minutes on the Webauth SSID but not autheneticated on the web page ...
Nicolas
===
don't forget to rate answers that you find useful
11-23-2010 12:56 AM
Thanks Nicolas,
My help file doesn't show this information as far as I can see, but thankyou for posting this as it's most useful - it seems to work the opposite way around from what I expected...
I think we'll have to see how it goes for the bypass as really it's just to pull email - no other functionality is required at this time, if we find that it's a problem, then we'll need to look at putting them onto the corporate one.
Kev
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide