Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC 4400 question

Hi

The scenario is as follows:

We deployed a WLAN with a WLC 4400 and several LWAPs. The main configuration include 2 SSID, one for guest access (internet and a limited access to internal resources) and one with complete access to the internal resources. For the "guest" SSID the access control is done trough an ACL placed in the core cat 6500 switch. This ACL blocks the access from "guests" to several subnets including the subnet where the WLC resides.

No one "guest" WLAN user can ping or access any host located in the subnet where the WLC is configured, but they can ping and access the WLC via https!!!

The goal is to block the acces to "guest" users to the WLC. And let the WLAN users with complet access to manage wirelessly the WLC.

Can this be done?

I know that the wireless administration can be enabled or disabled but it applies to all the WLAN users no just the "guest" users.

Any idea or suggestion is quite welcome

Roger

3 REPLIES
Cisco Employee

Re: WLC 4400 question

Hi Roger,

You can configure CPU ACL if you are running 4.0 release on your controller. In CPU ACL you can deny telnet as well as HTTP access from client subnet to the management ip address of the controller which will block the access of guest user to access the controller via web or cli and also you can block the icmp traffic from guest user subnet to the controller ip address.

You can configure acl from cli or web but to apply that acl to cpu you an do it via cli only.

HTH

Ankur

*Pls rate all helpfull post

New Member

Re: WLC 4400 question

Hi Ankur

Thanks a lot!

I did check the documentation for the WLC 4.0 and you are completely right.

The bad new for us is that the WLC we are working on has 3.2.78 version, so we first would need to upgrade to 4.0.

Anyway, you respone was very helpful. Thanks again.

Roger

New Member

Re: WLC 4400 question

is the guest ssid on the management interface or did you build a seperate interface/vlan?

183
Views
4
Helpful
3
Replies
CreatePlease to create content