Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
2
Replies

NAC ACL GuestUser

Go to solution
gomeso
Level 1
Level 1

‎07-03-2008 11:24 AM - edited ‎02-21-2020 02:54 AM

I have NAC setup for user-based role VLAN assignment deployed as OOB VG L2. I have a default access, authentication, and user VLAN setup. The user VLANis for guest. So, a guest opens there broswer and the guest is prompted to enter credentials. Credentials are accepted. The browser refreshes IP and I get a "Limited connectivity...169.254.etc...". I get this error when I apply the below ACL to the 'user vlan' interface (i.e. ip access-group 110 in), when the ACL is not assign everything works fine and the guest can roam my entire internal network. My DHCP/DNS is on the 10.0.0.0 network. Anyone have any ideas why I am getting this error?

access-list 110 deny ip 192.168.41.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 110 deny ip 192.168.41.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 110 permit ip 192.168.41.0 0.0.0.255 192.168.41.0 0.0.0.255

access-list 110 deny ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 110 permit ip 192.168.41.0 0.0.0.255 any

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pcomeaux
Cisco Employee
Cisco Employee

‎07-07-2008 01:18 PM

Hi there -

What Vlan and IP does the guest user have when he experiences the web page challenging credentials?

What vlan and IP do you want the guest to have once the guest authenticates as a guest?

My initial thought is your ACL is denying the DHCP requests and the DNS requests, since you mention the DHCP and DNS are on the 10.0.0.0/8 network.

thxs

peter

View solution in original post

0 Helpful
2 Replies 2

Go to solution
pcomeaux
Cisco Employee
Cisco Employee

‎07-07-2008 01:18 PM

Hi there -

What Vlan and IP does the guest user have when he experiences the web page challenging credentials?

What vlan and IP do you want the guest to have once the guest authenticates as a guest?

My initial thought is your ACL is denying the DHCP requests and the DNS requests, since you mention the DHCP and DNS are on the 10.0.0.0/8 network.

thxs

peter

0 Helpful

Go to solution
gomeso
Level 1
Level 1
In response to pcomeaux

‎07-14-2008 04:34 AM

Peter,

Thank you for your assistance!!! It was the ACL denying the DHCP requests and the DNS requests.

-K

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card