Setting up Guest Access?

Unanswered Question
Jun 3rd, 2008
User Badges:
  • Silver, 250 points or more

I have never set this up and not even sure where to look.

Can someone please point me in the right direction?

I just need something basic.

Here is what I would like to do.

Guest account will be used by vendors who have used our non-secure ssid and need to move toward another form of more secure and more controlled access.

Guest enters office location.

Powers up laptop with wireless.

Guest account is granted with password/ssid - need some sort of security since we do not want the whole community to use this connection.

Guest account is given public DNS servers to use for DNS, and given an IP from a seperate DHCP scope that only has internet access and no access to our network resources.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Tue, 06/03/2008 - 13:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Are you using LAP's or Autonomous AP's?

network_dude Tue, 06/03/2008 - 16:59
User Badges:

1) Create a "Guest VLAN" and put an ACL on it..something like this:

ip access-list extended Guest

permit udp any host x.x.x.x range bootps bootpc

deny ip any log

permit udp any host x.x.x.x eq domain

permit tcp any any eq 443

permit tcp any any eq www

deny ip any any

2) Plug AP into the new segment

3) Create SSID with desired security.

That should do it.

svillardi Wed, 06/18/2008 - 09:39
User Badges:

Total newbie here with ACLs.

Can you further define these ACL filters? I am trying to do this via the 4402 GUI and not the CLI. So I don't understand what is being said here.

Please explain what each line is doing.

Rick Morris Wed, 06/18/2008 - 09:44
User Badges:
  • Silver, 250 points or more

permit udp any host x.x.x.x range bootps bootpc

-this will permit udp traffic for bootps and bootpc ports

deny ip any log

-this denies any type of traffic from any network to the network and log it

permit udp any host x.x.x.x eq domain

-permits anything on my network to a specific host to communicate for DNS

permit tcp any any eq 443

-permits secure https traffic

permit tcp any any eq www

-permits any web traffic

deny ip any any

-denies any traffic that is not matched in the above lines

ACL's work top down. If there is no match it goes to the next line. If you do not specify deny ip any any it is just a given that this is done by default, so no need to specify this statement.

svillardi Wed, 06/18/2008 - 11:31
User Badges:


OK, i created one in the GUI

permit any IP/ udp dhcp-c dhcp-s any Outbound

-allows any traffic to make a dhcp request

permit IP/ any udp dhcp-s dhcp-c any Inbound

-allows the dhcp server to respond to the client request

permit any IP/ tcp DNS any any any

-dns traffic to and from...

permit any any tcp http any any any

-allow http traffic anywhere

permit any any tcp https any any any

-allow https traffic anywhere

with the acl on, no internet

with the acl off, internet

any ideas?

also, i saw your example, does that mean that the host would not be able to make an http/https request in the local network? Because I need to do that too.

toddgermana Thu, 07/24/2008 - 09:36
User Badges:

I'm having the same issue with ACL while configuring it in the WCS.

Add any rule other then allow all - no access to anything (internet, ping, etc.)

Remove all rules - access to everything.

Am I missing something?

toddgermana Fri, 07/25/2008 - 09:45
User Badges:

Nevermind - Just needed to pay closer attention to what I was doing, was blocking out the gateway to the internet.


This Discussion



Trending Topics - Security & Network