09-26-2011 05:41 AM - edited 07-03-2021 08:49 PM
Hello all.
I'm trying to find the best way to limit a specific "generic" account's wireless access throughout an enterprise (both local and HREAP sites). Let's say I want this user account to be able to access only two IPs. I can do it locally with no problems. My issue is HREAP. Is it possible to use either the "override interface acl" feature of the WLC or "per user ACL" feature of the WLC/ACS to accomplish this? I've tried the Override ACL feature and it doesn't seem to function on HREAP. Or, is there a better way?
PS - I know I can create a new local VLAN, map an new SSID to it, and apply an ACL on the router. But if you're talking hundreds of remote sites, that's not what I want.
Thanks!
Solved! Go to Solution.
09-26-2011 11:24 AM
correct, you'd have to backhaul to the WLC.
For HREAP, it's designed to follow the local routing rules of the site/subnet. So an ACL at the local site would work, but doesn't help when it's used with a generic login, unless you were to block the entire subnet.
09-26-2011 06:08 AM
Pretty sure neither of those will work, as the traffic is dropped directly to the wire and not back hauled to the WLC.
Sent from Cisco Technical Support iPad App
09-26-2011 07:44 AM
I was afraid of that. Any other idea of how I may be able to accomplish what I'm looking to do?
Thanks Stephen!
09-26-2011 07:52 AM
I can only think of two ways to do this.
1.) Configure a 'special' WLAN for the generic user, and use the WLC ACL to block them.
2.) 'Special' VLAN at the remote site, and put the user there. (which I can understand not wanting to do as it doesn't scale very well.
HTH,
Steve
09-26-2011 11:05 AM
With your option 1, I'm still forced to send all traffic back to the WLC (no ACL with HREAP support at all)?
Thanks again Steve!
BTW - This seems to be a feature that customers would want. . . I can't justify a controller (no matter how small) at each of my tiny remote sites (1-2 APs per location).
09-26-2011 11:24 AM
correct, you'd have to backhaul to the WLC.
For HREAP, it's designed to follow the local routing rules of the site/subnet. So an ACL at the local site would work, but doesn't help when it's used with a generic login, unless you were to block the entire subnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide