Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
5
Replies

Guest Access Secure Enough?

Go to solution
toddgermana
Level 1
Level 1

‎09-23-2008 10:27 AM - edited ‎07-03-2021 04:31 PM

Equipment: 2106 controller, 1131AG, WCS 5.1.151

Internal users: Connect to 192.168.x.x network as normal wired users would. Authenticate through a radius server connected to AD. WPA2 used. Vlan1

Guest Users: Connect to controller through web-auth, DHCP on controller, Vlan2

ACL Guest rules (In sequence):

1. Permit SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 192.168.1.5/255.255.255.255 (firewall)

2. Deny SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 192.168.0.0/255.255.0.0

3. Permit SourceIP 0.0.0.0 / 0.0.0.0 Destination IP 0.0.0.0 / 0.0.0.0

I understand that the suggested method for the guest Wlan is to be in the DMZ on a separate controller. As each location has its own firewall/internet connection I find this solution expensive, an administrative nightmare, and probably overkill. My question is: Is my guest access secure enough with web-auth, separate vlan, and the access control list?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to toddgermana

‎09-24-2008 11:55 AM

The reason why using like setting up acl's on the wlc is because it really doesn't work as well depending on your rules. ACL's are better managed on the L3 interface.

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎09-23-2008 05:39 PM

I personally don't like to use the ACL feature on the wlc. Why not create acl's on the L3 interface of vlan 2 to deny guest network to internal network. If you have a different internet connection for guest, you can use one of the available ports for the guest traffic. This is specifed in the interface you create for guest. If you have one internet connection, then create acl's on the l3 switch.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
toddgermana
Level 1
Level 1
In response to Scott Fella

‎09-24-2008 06:56 AM

Why/What don't you like on WCS ACL? Is adding the ACL to the vlan as a secondary precaution create enough security (plus the web-auth)? Also, I don't have another internet connection.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to toddgermana

‎09-24-2008 11:55 AM

The reason why using like setting up acl's on the wlc is because it really doesn't work as well depending on your rules. ACL's are better managed on the L3 interface.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
toddgermana
Level 1
Level 1
In response to Scott Fella

‎09-25-2008 05:04 AM

I had to double check with one of Cisco's engineers and he came up with the some solution. Thanks for your help!

0 Helpful

Go to solution
steve.gordon
Level 1
Level 1

‎11-26-2008 09:34 AM

If you have a guest internet dmz in place, you can simply connect one of the physical distribution ports to the dmz, and have the guest wlan pointing to that interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card