03-16-2012 04:11 PM - edited 07-03-2021 09:48 PM
i have controller 5508
i configure vlan 10 for guest and name guest-inter
ip 10.0.10.2/24
default gateway 10.0.10.254 ( ip address fo core switch)
dhcp server ( 10.20.10.10/24) ( ip dhcp server is the same ip for DNS server )
i create ssid name gest and choose interface guest-inter and choose web authentication
also there is blue coast proxy for internet 10.30.10.10/24
i need guest user to access internet only
what the access list need to apply for guest in the WLC to permite internet only
i configured the access list in the controller and applied in the guest-inter interface
1- permit any any udp (source port dns) ( destination port any) (direction any )
2-permite any any udp ( any ) ( dns) (any)
3- permite any 10.20.10.10 ip any any any
4-permite 10.20.10.10 any ip any any any
5-permite any 10.30.10.10 ip any any any
6- permite 10.30.10.10 any ip any any any
i put user name and password for guest and disply page access sucessful and stop
after that i can not access internet
please advice me
03-16-2012 09:49 PM
I would rather put an ACL to block the inside access, as given below
permit ip any 10.30.10.10 ( here you can give a mask of 255.255.255.255 and specificallly the proxy port)
permit ip any 10.20.10.10/24 ( ( here you can give a mask of 255.255.255.255 and the DNS port )
deny ip 10.0.10.2/24
permit ip any
What is the image that you are using in the WLC, if the build is above 7.0.116.0 enable "WebAuth Proxy Redirection Mode" from the Controller page
Thanks
NikhiL
03-18-2012 05:20 PM
I worked by the same things you mentioned but unfortunately the same thing ther is no changing .
Please if you have practical technical document for guest access-list send to me
or advice me .
thanks
03-18-2012 05:56 PM
Whatever you allow out, you need to explicitly allow back in as well. Unlike applying the acl to a svi where you only need one way.
That being said. I'd put the acl on the gateway svi instead if on the WLC.
Steve
Sent from Cisco Technical Support iPhone App
03-19-2012 12:06 AM
I applied the access list in two directions, even before the possible but i forget to mentioned in my previous letter
I will try to apply in the layer 3 core switch and i will tell you the result .
03-18-2012 11:10 AM
You need to identifiy your interfaces in the WLC as inbound and outbound. I just did a number id ACLs on the WLC for ISE and I had the same problem. Once I added the inbound and outbound life was good. Give that a shot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: