i have controller 5508
i configure vlan 10 for guest and name guest-inter
default gateway 10.0.10.254 ( ip address fo core switch)
dhcp server ( 10.20.10.10/24) ( ip dhcp server is the same ip for DNS server )
i create ssid name gest and choose interface guest-inter and choose web authentication
also there is blue coast proxy for internet 10.30.10.10/24
i need guest user to access internet only
what the access list need to apply for guest in the WLC to permite internet only
i configured the access list in the controller and applied in the guest-inter interface
1- permit any any udp (source port dns) ( destination port any) (direction any )
2-permite any any udp ( any ) ( dns) (any)
3- permite any 10.20.10.10 ip any any any
4-permite 10.20.10.10 any ip any any any
5-permite any 10.30.10.10 ip any any any
6- permite 10.30.10.10 any ip any any any
i put user name and password for guest and disply page access sucessful and stop
after that i can not access internet
please advice me
I would rather put an ACL to block the inside access, as given below
permit ip any 10.30.10.10 ( here you can give a mask of 255.255.255.255 and specificallly the proxy port)
permit ip any 10.20.10.10/24 ( ( here you can give a mask of 255.255.255.255 and the DNS port )
deny ip 10.0.10.2/24
permit ip any
What is the image that you are using in the WLC, if the build is above 22.214.171.124 enable "WebAuth Proxy Redirection Mode" from the Controller page
I worked by the same things you mentioned but unfortunately the same thing ther is no changing .
Please if you have practical technical document for guest access-list send to me
or advice me .
Whatever you allow out, you need to explicitly allow back in as well. Unlike applying the acl to a svi where you only need one way.
That being said. I'd put the acl on the gateway svi instead if on the WLC.
Sent from Cisco Technical Support iPhone App
I applied the access list in two directions, even before the possible but i forget to mentioned in my previous letter
I will try to apply in the layer 3 core switch and i will tell you the result .
You need to identifiy your interfaces in the WLC as inbound and outbound. I just did a number id ACLs on the WLC for ISE and I had the same problem. Once I added the inbound and outbound life was good. Give that a shot.