Showing results for 
Search instead for 
Did you mean: 

guest access list

i have controller 5508

i configure vlan 10 for guest and name guest-inter


default gateway ( ip address fo core switch)

dhcp server ( ( ip dhcp server is the same ip for DNS server )

i create ssid name gest and choose interface guest-inter and choose web authentication

also there is blue coast proxy for internet

i need guest user to access internet only

what the access list need to apply for guest in the WLC to permite internet only

i configured the access list in the controller and applied in the guest-inter interface

1- permit any any  udp  (source port dns)  ( destination port  any)    (direction any )

2-permite any any udp   ( any )                 ( dns)                             (any)

3- permite any   ip   any  any               any

4-permite   any  ip     any any                 any

5-permite any   ip    any  any                   any

6- permite  any  ip   any    any                  any

i put user name and password for guest and disply page access sucessful and stop

after that i can not access internet

please advice me


I would rather put an ACL to block the inside access, as given below

permit ip  any ( here you can give a mask of and specificallly the proxy port)

permit ip  any ( ( here you can give a mask of and the DNS port )

deny ip

permit ip any

What is the image that you are using in the WLC, if the build is above enable "WebAuth Proxy Redirection Mode" from the Controller page



I worked by the same things you mentioned but unfortunately the same thing ther is no changing .
Please if you have practical technical document for guest access-list send to me

or advice me .


Whatever you allow out, you need to explicitly allow back in as well. Unlike applying the acl to a svi where you only need one way.

That being said. I'd put the acl on the gateway svi instead if on the WLC.


Sent from Cisco Technical Support iPhone App


Please remember to rate useful posts, and mark questions as answered

I applied the access list in two directions, even before the possible but i  forget to mentioned in my previous letter
I will try to apply in the layer 3 core switch and i will tell you the result .

You need to identifiy your interfaces in the WLC as inbound and outbound. I just did a number id ACLs on the WLC for ISE and I had the same problem. Once I added the inbound and outbound life was good. Give that a shot.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Recognize Your Peers
Content for Community-Ad