Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC ACL GuestUser

I have NAC setup for user-based role VLAN assignment deployed as OOB VG L2. I have a default access, authentication, and user VLAN setup. The user VLANis for guest. So, a guest opens there broswer and the guest is prompted to enter credentials. Credentials are accepted. The browser refreshes IP and I get a "Limited connectivity...169.254.etc...". I get this error when I apply the below ACL to the 'user vlan' interface (i.e. ip access-group 110 in), when the ACL is not assign everything works fine and the guest can roam my entire internal network. My DHCP/DNS is on the 10.0.0.0 network. Anyone have any ideas why I am getting this error?

access-list 110 deny ip 192.168.41.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 110 deny ip 192.168.41.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 110 permit ip 192.168.41.0 0.0.0.255 192.168.41.0 0.0.0.255

access-list 110 deny ip 192.168.41.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 110 permit ip 192.168.41.0 0.0.0.255 any

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NAC ACL GuestUser

Hi there -

What Vlan and IP does the guest user have when he experiences the web page challenging credentials?

What vlan and IP do you want the guest to have once the guest authenticates as a guest?

My initial thought is your ACL is denying the DHCP requests and the DNS requests, since you mention the DHCP and DNS are on the 10.0.0.0/8 network.

thxs

peter

2 REPLIES
Cisco Employee

Re: NAC ACL GuestUser

Hi there -

What Vlan and IP does the guest user have when he experiences the web page challenging credentials?

What vlan and IP do you want the guest to have once the guest authenticates as a guest?

My initial thought is your ACL is denying the DHCP requests and the DNS requests, since you mention the DHCP and DNS are on the 10.0.0.0/8 network.

thxs

peter

New Member

Re: NAC ACL GuestUser

Peter,

Thank you for your assistance!!! It was the ACL denying the DHCP requests and the DNS requests.

-K

126
Views
0
Helpful
2
Replies