Solved: WAP321 ACL to allow only 1 website

plastikjames1 · ‎07-12-2015

Hi there.

I am having a hard time setting up an ACL on a WAP321. The customer basically wants an open access point, that only allows access to one specific website. Is there any way to specify a domain name with an ACL on the WAP321?

Thanks

Eric Moyers · ‎07-16-2015

I know what your talking about.

Under local user there is an away timeout that is defaulted for 60 minutes. That means that after a user disassociates from the WAP, if they try to log in before 60 minutes they will still be in the authenticated User list and should bypass the login screen. If the time specified in this field expires before the client attempts to reauthenticate, the client entry is removed from the authenticated client list and they should have to log back into the Portal again.

This same setting is also under Instance configuration. I would make it the same in both places. There is also a session time out, I would leave that at 0 the default.

Hope this helps.

Eric Moyers

View solution in original post

Eric Moyers · ‎07-14-2015

Hello Sir, that is a great question. Will require some testing.

Can you describe the specific website or give me an example? Would this be an internal address or external?

There is not a way to do that with a domain name, but maybe with an IP Address. I can give it a try.

Just thinking out loud, maybe using a combination of vlans with the acl's tied to the guest vlan IP Range...

Would also have to have a router that can disable inter-vlan routing

Eric Moyers

plastikjames1 · ‎07-14-2015

Thanks Eric!

I had a feeling that would be the case. I tried an ACL with and IP address I got from pinging the site (JW.ORG) and some elements of the site worked. BUT The problem is that the site pulls resources from multiple ip addresses and these change from time to time.

I guess the task is in the too hard basket for the gear I have available.

Thanks anyways!

Aaron

Eric Moyers · ‎07-15-2015

One last option might be to look at the router you have, since you're running a guest vlan, maybe there is an option to do some ACL's from there based on which vlan is hitting the router.

At least worth a look.

Eric Moyers
.:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert

Please rate helpful Posts and Let others know when your Question has been answered.

plastikjames1 · ‎07-15-2015

Yes, I do currently have the router allowing only access to the domain, but it causes issues with the wap321 captive portal sign in page which I would like to use. Not sure why. Which is why I wanted to get the AP to do the work.

No worries. Thanks a bunch!

Eric Moyers · ‎07-16-2015

What kind of issues, maybe we can address that?

Eric Moyers

plastikjames1 · ‎07-16-2015

It's odd. The login page will load no problem on first connection. Then the second time the same device connects, the login page will not automatically load. You have to load the login page manually to get it to work (not something the average user would do lol). I wondered if it had to do with the entire internet being blocked bar 1 page.

Eric Moyers · ‎07-16-2015

I know what your talking about.

Under local user there is an away timeout that is defaulted for 60 minutes. That means that after a user disassociates from the WAP, if they try to log in before 60 minutes they will still be in the authenticated User list and should bypass the login screen. If the time specified in this field expires before the client attempts to reauthenticate, the client entry is removed from the authenticated client list and they should have to log back into the Portal again.

This same setting is also under Instance configuration. I would make it the same in both places. There is also a session time out, I would leave that at 0 the default.

Hope this helps.

Eric Moyers

plastikjames1 · ‎07-18-2015

Thank you! I will give it a go next week. For now I have changed out the router that was handling the access restrictions, and the captive portal looks like its loading right. Just my redirect url is giving me issues now. For some reason the redirect puts the local IP address of the AP before the website, so of course it does not load the page.

Eric Moyers · ‎07-20-2015

If you click my name beside my picture, it will show my email. If you want to send me your configuration file and let me look at that, see if I notice anything.

You can change the password to something generic if you like. Just want to see your settings for Captive portal or you could send me a screen capture of those settings

Eric Moyers

plastikjames1 · ‎07-22-2015

Thanks Eric.

I have it working pretty sweet now. Finally. :) My problem was that i put the domain name in, and not http:// . I added that, and its a charm!

Eric Moyers · ‎07-22-2015

Fantastic, if all of your concerns have been answered, please mark your question as answered, so others will know that you found a solution. Also if you don't mind please rate the quality of support you received.

If we can do anything else in the future please let us know.

Eric Moyers