I am having trouble configuring a Guest WLAN using web authentication. I am using a 4402 WLC running 18.104.22.168 to set it up. I also have a 3750 switch that the WLC connects to and the 3750 connects to my ASA 5510 running 8.3.1 The guest wlan is for internet access only. I can get onto the the guest wlan and at first the guest and internal networks can not communicate with one another but once I access the internet they start responding to one another.
On the WLC it is set up for web auth. Under wlan tab, no layer 2 or 3 security. Web policy and auth are selected (thinking about using pass-through). Under interface i have the ip, gateway and dhcp servers entered.
I have tried extended acl's on the asa to block our internal network while allowing the guest wlan internet access. I have also configured the switch port on the 3750 that the wlc connects to for trunking and allowing the guest vlan.
Any ideas what I am missing or not configuring correctly?
I don't know exactly how your network is configured. Are you using an ANCHOR or are you dropping the traffic on the door step of the WLC. So lets start with the basics.
I took the time and included a short topology for your own visual based and what you provided so far. I understand you dont want the guest network to talk to the production network, correct? If this is the case i might suggest applying an ACL on the SVI interface of your GUEST WLAN.
Lets follow the packet ... A user on guest network 192.x.x.x pings a production client on 10.x.x.x network.
1. The packet leaves the wireless client
2. It reaches the AP and LWAPP headers are applied
3. The packet travels the LWAPP tunnel back to the WLC
4. The WLC rips off the LWAPP 802.11 headers and applies the 802.3 headers
5. The WLC puts the packet on the wired interface
6. The next stop for the packet is through the SVI interface on your 3750
7. The ACL drops anything going to 10.x.x.x
You could apply an ACL in the WLC but i would not recommend that...