Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Wap321 Management VLAN and captive portal

I would like to seperate guest users from the management vlan. I have configured the wap321 with the following vlans:

1 native untagged

200 "normal" users

300 guests (portal)

900 management

The wap321 is connected to a sg300 switch in layer3 mode. Now I would like to implement acls on the sg300 and deny routing between vlan 300 and 900. And i need two rules for tcp port 80 and 443 for the vlan to get users to the portal website. But these two rules would mean that guest users could also connect to the management interface of the wap321.

I also don't know why port 80 is needed, because I activated https for the portal. But it doesn't work if I only allow port 443.

And I tried to use the additional port option (port 8080), but this dowsn't seem to solve the problem. Does anyone have an idea how to seperate the portal (guest users) from the http(s) interface of the accesspoint?


Regards, Frank

New Member

Hi,I have the same problem. I


I have the same problem. I also tried:

enable Management Access Control on AP for some mgmt-IPs, but if you enable this, the portal becomes unavailable (the portal is not the mgmt page for me).

You had a solution?


My name Eric Moyers. I am an

My name Eric Moyers. I am an Engineer in the Small Business Support Center.

While what I am fixing to share is not in any way a great solution, It can be utilized as a workaround.

With set up on the RV180 and SG200, I set them up as normal. With the WAP321, after trying a few different scenarios that didn’t work. I simply set with two vlans, with Captive Portal attached to the second SSID, and changed the Management VLAN to match the second vlan,  In my case 2. (See the attached Picture)

This allowed me to authenticate to my guest captive portal and get an IP and get out to the internet. The Main SSID still worked as normal.

Now for some caveats:

Problem: If a wireless client knows the IP of the WAP and the username and password they could get into the WAP.

Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.

Problem: Management of the WAP321 can only be from an IP on the Management VLAN. (In my case 2)

Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.

Not the very best solution, but the only workaround I can come up with for now.

Eric Moyers
.:|:.:|:. CISCO | Eric Moyers | Cisco Technical Support |
Wireless and Surveillance Subject Matter Expert

Please rate helpful Posts and Let others know when your Question has been answered.

CreatePlease to create content