Setting up Guest Access?

Rick Morris · ‎06-03-2008

I have never set this up and not even sure where to look.

Can someone please point me in the right direction?

I just need something basic.

Here is what I would like to do.

Guest account will be used by vendors who have used our non-secure ssid and need to move toward another form of more secure and more controlled access.

Guest enters office location.

Powers up laptop with wireless.

Guest account is granted with password/ssid - need some sort of security since we do not want the whole community to use this connection.

Guest account is given public DNS servers to use for DNS, and given an IP from a seperate DHCP scope that only has internet access and no access to our network resources.

Scott Fella · ‎06-03-2008

Are you using LAP's or Autonomous AP's?

-Scott
*** Please rate helpful posts ***

network_dude · ‎06-03-2008

1) Create a "Guest VLAN" and put an ACL on it..something like this:

ip access-list extended Guest

permit udp any host x.x.x.x range bootps bootpc

deny ip any 10.0.0.0 0.0.0.255 log

permit udp any host x.x.x.x eq domain

permit tcp any any eq 443

permit tcp any any eq www

deny ip any any

2) Plug AP into the new segment

3) Create SSID with desired security.

That should do it.

svillardi · ‎06-18-2008

Total newbie here with ACLs.

Can you further define these ACL filters? I am trying to do this via the 4402 GUI and not the CLI. So I don't understand what is being said here.

Please explain what each line is doing.

Rick Morris · ‎06-18-2008

permit udp any host x.x.x.x range bootps bootpc

-this will permit udp traffic for bootps and bootpc ports

deny ip any 10.0.0.0 0.0.0.255 log

-this denies any type of traffic from any network to the 10.0.0.0/8 network and log it

permit udp any host x.x.x.x eq domain

-permits anything on my network to a specific host to communicate for DNS

permit tcp any any eq 443

-permits secure https traffic

permit tcp any any eq www

-permits any web traffic

deny ip any any

-denies any traffic that is not matched in the above lines

ACL's work top down. If there is no match it goes to the next line. If you do not specify deny ip any any it is just a given that this is done by default, so no need to specify this statement.

svillardi · ‎06-18-2008

Thanks--

OK, i created one in the GUI

permit any IP/255.255.255.255 udp dhcp-c dhcp-s any Outbound

-allows any traffic to make a dhcp request

permit IP/255.255.255.255 any udp dhcp-s dhcp-c any Inbound

-allows the dhcp server to respond to the client request

permit any IP/255.255.255.255 tcp DNS any any any

-dns traffic to and from...

permit any any tcp http any any any

-allow http traffic anywhere

permit any any tcp https any any any

-allow https traffic anywhere

with the acl on, no internet

with the acl off, internet

any ideas?

also, i saw your example, does that mean that the host would not be able to make an http/https request in the local network? Because I need to do that too.

pirateoftheairwaves · ‎06-23-2008

Where to configure this acl? on router? switch? or wlc?

toddgermana · ‎07-24-2008

I'm having the same issue with ACL while configuring it in the WCS.

Add any rule other then allow all - no access to anything (internet, ping, etc.)

Remove all rules - access to everything.

Am I missing something?

toddgermana · ‎07-25-2008

Nevermind - Just needed to pay closer attention to what I was doing, was blocking out the gateway to the internet.