Setting up Guest Access?

Unanswered Question
Jun 3rd, 2008

I have never set this up and not even sure where to look.


Can someone please point me in the right direction?


I just need something basic.


Here is what I would like to do.

Guest account will be used by vendors who have used our non-secure ssid and need to move toward another form of more secure and more controlled access.


Guest enters office location.

Powers up laptop with wireless.

Guest account is granted with password/ssid - need some sort of security since we do not want the whole community to use this connection.

Guest account is given public DNS servers to use for DNS, and given an IP from a seperate DHCP scope that only has internet access and no access to our network resources.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
network_dude Tue, 06/03/2008 - 16:59

1) Create a "Guest VLAN" and put an ACL on it..something like this:


ip access-list extended Guest

permit udp any host x.x.x.x range bootps bootpc

deny ip any 10.0.0.0 0.0.0.255 log

permit udp any host x.x.x.x eq domain

permit tcp any any eq 443

permit tcp any any eq www

deny ip any any


2) Plug AP into the new segment


3) Create SSID with desired security.


That should do it.

svillardi Wed, 06/18/2008 - 09:39

Total newbie here with ACLs.


Can you further define these ACL filters? I am trying to do this via the 4402 GUI and not the CLI. So I don't understand what is being said here.


Please explain what each line is doing.

Rick Morris Wed, 06/18/2008 - 09:44

permit udp any host x.x.x.x range bootps bootpc

-this will permit udp traffic for bootps and bootpc ports

deny ip any 10.0.0.0 0.0.0.255 log

-this denies any type of traffic from any network to the 10.0.0.0/8 network and log it


permit udp any host x.x.x.x eq domain

-permits anything on my network to a specific host to communicate for DNS


permit tcp any any eq 443

-permits secure https traffic


permit tcp any any eq www

-permits any web traffic


deny ip any any

-denies any traffic that is not matched in the above lines


ACL's work top down. If there is no match it goes to the next line. If you do not specify deny ip any any it is just a given that this is done by default, so no need to specify this statement.

svillardi Wed, 06/18/2008 - 11:31

Thanks--


OK, i created one in the GUI


permit any IP/255.255.255.255 udp dhcp-c dhcp-s any Outbound

-allows any traffic to make a dhcp request


permit IP/255.255.255.255 any udp dhcp-s dhcp-c any Inbound

-allows the dhcp server to respond to the client request


permit any IP/255.255.255.255 tcp DNS any any any

-dns traffic to and from...


permit any any tcp http any any any

-allow http traffic anywhere

permit any any tcp https any any any


-allow https traffic anywhere


with the acl on, no internet

with the acl off, internet


any ideas?


also, i saw your example, does that mean that the host would not be able to make an http/https request in the local network? Because I need to do that too.


toddgermana Thu, 07/24/2008 - 09:36

I'm having the same issue with ACL while configuring it in the WCS.


Add any rule other then allow all - no access to anything (internet, ping, etc.)

Remove all rules - access to everything.


Am I missing something?

toddgermana Fri, 07/25/2008 - 09:45

Nevermind - Just needed to pay closer attention to what I was doing, was blocking out the gateway to the internet.

Actions

This Discussion

 

 

Trending Topics - Security & Network