Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Guest SSID internet only

                   I am looking for the best practice of securing internet only SSID on controller. Would I use acl on controller for that ssid or on prtinemt interfaces to keep guest traffic from accessing networks that it souldn't?



Everyone's tags (4)
Community Member

Guest SSID internet only

Here's how I did it.

I have a 2504 WLC and an ASA 5510.

I dedicated one port on the WLC to the guest WLAN, and plugged that port directly into the DMZ interface on my ASA (for security reasons, make sure there is nothing else using this DMZ...only your guest WLAN).

The DMZ interface on the ASA is the gateway for the guest WLAN, and the WLC is serving DHCP for the guest WLAN.

To make for-darn-sure that guest traffic won't make it to the other WLANs I put ACLs in place, blocking traffic between the guest WLAN and the internal WLANs.  I also put ACLs on the ASA blocking traffic between this DMZ interface and the outside interface on the ASA, so as to prevent guest users from trying to go out the DMZ and back in the outside interface.

There are more ways to do it, but this is the basic configuration that I've got.  Seems to work pretty well so far.

Of course you'll still have to decide what security mechanism you want to use to manage access to your guest wirless network.


Re: Guest SSID internet only

You could secure in a combination of ways:

1. Create access lists on the contoller which restrict the guest SSID only to the DMZ resources such as guest only DNS server and webserver. The access-lists should be bidirectional.

2. If you have incorporated a radius server such as Cisco ACS, make sure that you setup access restrictions between the guest IP range (including the anchor controller) and your corporate subnets.

3. Make sure that the guest SSID is not mapped to the management interface but to another dynamic interface. This prevents the guest clients from picking up corporate ip addresses when the tunnel to the anchor controller fails.

I take it that you have already set up your guest access, however you can reference the link below, as it describes how to create ACLs on the controller:

Community Member

Guest SSID internet only

The way I did it, I didn't use an anchor controller...forgot to mention that.  I only have one 2504 controller.  Of course setting up an anchor is better if you've got one.

One question:

The guest traffic will be encapsulated in CAPWAP, thus putting the guest data onto the internal vlan which the APs use to communicate with the WLC.  The WLC then strips the CAPWAP header and process the guest traffic appropriately, forwarding it to the appropriate gateway as necessary.  This being the case, the guest traffic is making its way onto the internal LAN while being sent from the AP to the WLC.  Given that the guest traffic is encapsulated in CAPWAP, I don't think this poses a security risk (allowing the guest traffic onto the internal vlan via CAPWAP), does it?

I forgot also to mention that I have a dedicated vlan for WLC <--> AP traffic.  ACLs are applied to this vlan so that no other traffic is allowed in or out.

In absense of an anchor controller, this is the best way I can see to do it.

I hope the above question is clear.


Guest SSID internet only

With the ACLs in place there shouldn't be a worry about CAPWAP traffic.

CreatePlease to create content