Securing Guest Wlan

r.robins · ‎10-03-2007

I am trying to set up a WLAN with internal users and guest users.

I have 2 ssid's one visible one hidden, the visible one is for guest use.

Problem is when I connect to the guest wlan and web auth, I can then ping and telnet to the rest of the corporate network. How do I stop this?

Jon Marshall · ‎10-04-2007

Hi

Have you got separate vlans setup ie.

vlan 10 = users

vlan 11 = guest

You would then hand out different IP address ranges for each vlan eg.

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.10.0/24

Then you can either use a firewall or use access-lists on the vlan interfaces ie. suppose the coporate network was made up of subnets

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

Also assume you want to allow your guest users out to the Internet

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

etc..

int vlan 11

ip access-group 101 in

This would allow guest users on 192.168.10.0 to access the Internet but not coporate LAN.

HTH

Jon

r.robins · ‎10-05-2007

Thanks Jon,

Looks like this is one of two ways to go.

ACL's on the switch/Router or put the WLC onto a DMZ.

Second option just means we use a wlc for 4 AP's taht will provide the Guest access.

Not so bad as we have 4 in total.

Regards