01-25-2013 07:53 AM - edited 07-03-2021 11:25 PM
Hi
We have three SSID's
CORP SSID
GUEST SSID
MGMT SSID
I want to know ,Client wants the controller access from MGMT SSID where all the IT guys are sitting on their wirless laptop and at the same time they do not to get controller access for other SSID that is for corp and guest users.
If i check this all the SSID are able to get the controller access and if uncheck this , no wireless user is able to get the access of controller.
Is there any way to give the controller access to MGMT wireless users ?
Thanks.....
Solved! Go to Solution.
01-25-2013 08:37 AM
You can do it on either... I prefer on the core thatn on the WLC, but thats up to you.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-25-2013 08:00 AM
Not really, because if you have another WLC and users are connected to AP's on WLC2, they can access WLC1. The only way is to setup an acl to only allow subnets to access the WLC management ip.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-25-2013 08:03 AM
Hi Scott
Thanks for the reply
Do i need to craete the ACL on controller or on the core switches where vlans are created.
01-25-2013 08:37 AM
You can do it on either... I prefer on the core thatn on the WLC, but thats up to you.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-25-2013 09:51 AM
Here is the other thing I see a lot. What about your corp SSID. Are users on that subnet able to get to your management devices like servers or switches? This is why I prefer to use ACLs on the core. You have a dedicated management vlan in which you have access to everything, but the other subnets in clouding wired needs to have ACLs in place or else wired users can access the WLC also. Makes sense?
Sent from Cisco Technical Support iPhone App
01-25-2013 11:34 AM
Hi Scott
No CORP and GUEST are not allowed to get the network device access and we restricted the acces throgh ACL on core switches and applied on VTY .
This is only for Controller access ,every single wireless user is able to get the WLC access irrespective of SSID.
GUEST SSID is using web authenication and CORP is using certificate based authenication.If i make the ACL and put the WLC IP in deny list then WLC GUEST redirect page is not coming on the guest machine.
So want to know which port i need to blocked so that guest should not get the WLC's access?
01-25-2013 12:35 PM
Well if your using a guest anchor, the WLC is in the DMZ so there wouldn't be any routing back. But if your not anchoring the SSID, then maybe look at using a CPU ACL on the WLC.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide