Equipment: 2106 controller, 1131AG, WCS 5.1.151
Internal users: Connect to 192.168.x.x network as normal wired users would. Authenticate through a radius server connected to AD. WPA2 used. Vlan1
Guest Users: Connect to controller through web-auth, DHCP on controller, Vlan2
ACL Guest rules (In sequence):
1. Permit SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 192.168.1.5/255.255.255.255 (firewall)
2. Deny SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 192.168.0.0/255.255.0.0
3. Permit SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 0.0.0.0 / 0.0.0.0
I understand that the suggested method for the guest Wlan is to be in the DMZ on a separate controller. As each location has its own firewall/internet connection I find this solution expensive, an administrative nightmare, and probably overkill. My question is: Is my guest access secure enough with web-auth, separate vlan, and the access control list?
The reason why using like setting up acl's on the wlc is because it really doesn't work as well depending on your rules. ACL's are better managed on the L3 interface.