07-12-2015 04:51 PM
Hi there.
I am having a hard time setting up an ACL on a WAP321. The customer basically wants an open access point, that only allows access to one specific website. Is there any way to specify a domain name with an ACL on the WAP321?
Thanks
Solved! Go to Solution.
07-16-2015 02:31 PM
I know what your talking about.
Under local user there is an away timeout that is defaulted for 60 minutes. That means that after a user disassociates from the WAP, if they try to log in before 60 minutes they will still be in the authenticated User list and should bypass the login screen. If the time specified in this field expires before the client attempts to reauthenticate, the client entry is removed from the authenticated client list and they should have to log back into the Portal again.
This same setting is also under Instance configuration. I would make it the same in both places. There is also a session time out, I would leave that at 0 the default.
Hope this helps.
Eric Moyers
07-14-2015 10:55 AM
Hello Sir, that is a great question. Will require some testing.
Can you describe the specific website or give me an example? Would this be an internal address or external?
There is not a way to do that with a domain name, but maybe with an IP Address. I can give it a try.
Just thinking out loud, maybe using a combination of vlans with the acl's tied to the guest vlan IP Range...
Would also have to have a router that can disable inter-vlan routing
Eric Moyers
07-14-2015 05:34 PM
Thanks Eric!
I had a feeling that would be the case. I tried an ACL with and IP address I got from pinging the site (JW.ORG) and some elements of the site worked. BUT The problem is that the site pulls resources from multiple ip addresses and these change from time to time.
I guess the task is in the too hard basket for the gear I have available.
Thanks anyways!
Aaron
07-15-2015 06:47 AM
One last option might be to look at the router you have, since you're running a guest vlan, maybe there is an option to do some ACL's from there based on which vlan is hitting the router.
At least worth a look.
Eric Moyers
.:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert
Please rate helpful Posts and Let others know when your Question has been answered.
07-15-2015 06:14 PM
Yes, I do currently have the router allowing only access to the domain, but it causes issues with the wap321 captive portal sign in page which I would like to use. Not sure why. Which is why I wanted to get the AP to do the work.
No worries. Thanks a bunch!
07-16-2015 06:17 AM
What kind of issues, maybe we can address that?
Eric Moyers
07-16-2015 12:43 PM
It's odd. The login page will load no problem on first connection. Then the second time the same device connects, the login page will not automatically load. You have to load the login page manually to get it to work (not something the average user would do lol). I wondered if it had to do with the entire internet being blocked bar 1 page.
07-16-2015 02:31 PM
I know what your talking about.
Under local user there is an away timeout that is defaulted for 60 minutes. That means that after a user disassociates from the WAP, if they try to log in before 60 minutes they will still be in the authenticated User list and should bypass the login screen. If the time specified in this field expires before the client attempts to reauthenticate, the client entry is removed from the authenticated client list and they should have to log back into the Portal again.
This same setting is also under Instance configuration. I would make it the same in both places. There is also a session time out, I would leave that at 0 the default.
Hope this helps.
Eric Moyers
07-18-2015 11:52 AM
Thank you! I will give it a go next week. For now I have changed out the router that was handling the access restrictions, and the captive portal looks like its loading right. Just my redirect url is giving me issues now. For some reason the redirect puts the local IP address of the AP before the website, so of course it does not load the page.
07-20-2015 08:25 AM
You can change the password to something generic if you like. Just want to see your settings for Captive portal or you could send me a screen capture of those settings
Eric Moyers
07-22-2015 01:30 PM
Thanks Eric.
I have it working pretty sweet now. Finally. :) My problem was that i put the domain name in, and not http:// . I added that, and its a charm!
07-22-2015 01:43 PM
Fantastic, if all of your concerns have been answered, please mark your question as answered, so others will know that you found a solution. Also if you don't mind please rate the quality of support you received.
If we can do anything else in the future please let us know.
Eric Moyers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide