Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


guest access

Got a bunch of 1231G AP standalone spread around the building floor and don't want to use WLAN controller. The access backhauls to a radius server with a certificate for our users. All AP has a dedicated VLAN. I want to setup a guest ssid which can only access internet. How do I do this? Any sample configs out there?

New Member

Re: guest access

Without a WLC, one might try the following.

1. Setup all AP's to use an SSID on the "guest" vlan. Make sure nothing else is on this vlan.

2. Setup a DHCP and DNS server on that VLAN. One 2003 server standard box should work.

3. Set the helper address to that server's ip address for that vlan.

4. Set the SSID open so clients can easily connect to the network.

5. Use static ACL's on that vlan that only allow HTTP / HTTPS / FTP / etc. to your internet gateway / firewall. If you don't want to use static ACL's for each protocol, you could do these additional steps.

6. Install ISA server in firewall mode with NAT enabled. Setup ISA rules to restrict certain types of traffic.

7. Setup one ACL on that vlan to force everyone through the "ISA server" or guest server.

8 Make the gateway of the dhcp scope the ISA server. You will need two nics for this. An inbound and an outbound. All traffic will come in on the inbound nic via the dhcp gateway setting, and then out the other nic to your internet. Since it is NAT'd, you'll see the outbound nic's ip address for the traffic. If you do this you'll probably need to open up some ports to allow VPN users too.

There are probably many many other ways to do this, but this should be a good place to start from. Anyone else have ideas that don't include a WLC?