Restrict Wireless Guest Internet Access

Similar Messages

• EA6100 AC1200 Blocking Guest internet access during specific times?

  I see that you can disable guest internet access for specific times but only for specific devices. What I want to do is turn off Guest access for all devices during specific times. 
  I am using this in an environment  where I will have different guests at different times with different devices and can't go in to block each one each time. 

  I think your only option at this time is to manually disable the Guest Wireless network when wanted.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Load Balance guest Internet access via two different DMZ zones at two sites

  Hi Sir,
  My customer has the following unified wireless guest access requirement:
  - There are 2 internet links and dmz zones at two different locations, Site A and Site B
  - Data centre is at Site A
  - WiSM is proposed to be installed at the Cat 6500 in Site A
  - Lightweight AP are distributed across Site A, Site B and other branches
  - Only one anchor WLC is proposed at Site A, DMZ zone to provide guest internet access
  My customer would like to load balance the guest via the two internet link at Site A and Site B but with the same SSID across all locations. Can it be done since only one anchor at Site A? How about puttting another anchor WLC at Site B, DMZ zone? But how can i establish two EoIP tunnel to two different anchor WLC from a single WiSM?
  Thanks for your help
  Delon

  You can... but you can't control where the traffic will flow. The wlc will determine which DMZ wlc it will use. The wlc will load balance, but traffic in site A might go to site B. I currently have deployed that senerio in multiple client installations....

• Guest Internet access in the Enterprise

  We have set up guest internet access in our enterprise using GRE tunneling with a PIX. I'm trying to determine the best way to do authentication for users on this guest network.
  I think I can do RADIUS (using ACS) with the PIX as an NAS. Question is can I use a different type of server (such as MS IAS)? Can I use either one to utilize an existing MS Active Directory database?
  If I use radius on the pix for authentication, a login prompt pops up when a user tries to use the web. Is there a way to redirect users to a web page first and have the login embedded on the page? This is done in hotels now and I don't know if there's a Cisco solution for this.

  The following documents lists all the supported Databases,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/d.htm

• Corporate responsibility for logging guest Internet access

  Hi all
  Can anyone tell me what the requirement is in the uk for logging guest Internet access for guest users at my co
  Company ? Is it lawful requirement ?

  The following documents lists all the supported Databases,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/d.htm

• Wireless Guest Internet Only Access

  We just got our 4402 WLC with 1131ag access points up and running. We would now like to set up guest access with only internet access. Our vendor has suggested setting up a dmz on our checkpoint firewall and have it do dhcp and then setting up a wlan on our controller for the guest access. My question is: what do I need to do on the switch side to set this up? Is is just as simple as creating a vlan and giving it an ip address in the dmz range? Or is there another way of setting up internet only guest access?
  Any suggestions would be appreciated.
  Thanks in advance.
  Jeff

  It depends if all you are wanting to do is Internet-only on you controller. If thats it, then you can place your controller in a dmz. Have a device handout the dhcp information to your clients. Set your controller for layer-3 mode. Have your APs connect to your controller (make sure you have the correct ports allowed through your firewall between the APs and the controller). I would recommend placing the APs on a seperate VLAN than other internal traffic with the appropriate LWAPP options configured in the DHCP scope.
  The clients will then associate to the SSID you have setup. They will pull an IP address from the DMZ.
  A few years ago on my first LWAPP deployment, I did this setup and it worked perfectly. I would also recommend having the DHCP server in the DMZ assaign an IP address that is not routable in your internal network. That way, if somebody makes a mistake and their is leakage, the traffic can't be routed anywhere since the source IP address of the wireless client isnt routable. You can use this DMZ controller access for Internet only which can also be used by internal people to VPN back to you internal network if you have that permitted.
  If however, you are planning to do both direct connection to your internal network and an internet-only connection (two different SSIDs) the best way is to get a small controller for your DMZ (like a 4402-12) and a larger controller for internal (4402-25 or 4404-100). Have your DMZ controller be a guest internet controller that is setup as the guest "anchor". There are lots of docs on the Cisco web site. This solution works great. I use a 4402-12 as a DMZ anchor and have about 20 4404-100s that are anchored to it.

• New to Networking - Verizon Wireless Broadband Internet Access

  Hello,
  Just setting up my home network with a router and printer server.  However, when I went to set it up, it is looking for a cable to connect from the laptop to the router.  I use a Verizon Broadband wireless card that I insert into the pcmia slot on the laptopr, therefore, no wires involved.
  Will this work with the router or do I need the cable connection for it to work.
  Also, in the setup it asks not only for the IP address (which I think I found) but also a subnet, gateway, dns, etc.  Any suggestions on where I can find this info.
  Or is this all just explained somewhere in an easy guide when using a wireless internet access card.
  Thanks in advance for any help.

  Thanks for the info.  Since I live in a rural location, the only options I have are either slow dial up with MSN or the broadband access card in my laptop with Verizon so I guess I will be limited to the internet only on my laptop if I want faster access.
  One thing, though, when I open the program for the verizon card (VZaccessmanager), it shows a symbol for linksys as an available network even though I didn't provide the ISP, etc. answers.
  The router that I am using is the WRT54GS and and a WPS54G print server. 
  And, yes, the ISP question was being asked during the final stages of router installation, along with the gateway question, etc.  Now that this isn't going to work with the access card, do I need to answer these questions? 
  Any help will be appreciated.  Thanks.

• ASA 5510 Guest Internet Access

  I have a subnet for guest network access, both wired and wireless.  We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'.  For most internal traffic, it all stays behind the ASA.  But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA.  The question is, how can I still permit those users to access our internal DNS servers?  Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.?  I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.
  Regards,
  Scott

  Hello Scott,
  Your ASA will need to have a route for both networks
  You also will need the following command:
            -same-security-traffic permit intra-interface
  The thing is that the packets from the guest vlan will go directly to the ASA as its default gateway, then packets will be routed to the Router on stick and finally to the DNS server, the reply will go from the DNS to the Router on stick and then directly to the Guest user.
  Nat exemption will look like this:
  access-list nonat permit ip 192.168.14.0 255.255.255.0  host 192.168.11.6
  access-list nonat permit ip 192.168.14.0 255.255.255.0  host 192.168.11.4
  nat (inside) 0 access-list nonat
  Please give it a try, also please provide packet tracer
  packet-tracer input inside udp 192.168.14.10 1025 192.168.11.4 53
  Regards,
  Julio
  Rate helpful posts

• Guest Internet Access

  Hi
  Looking for input on Guest Vlan subject.
  How can I avoid routing of Guess VLAN traffic to DATA VLAN, any traffic from Guest VLAN should be routed to Internet directly.
  Looking for similar setup as in Hotels, Guest are provided with username/password with time duration to access internet and limit the download speed.
  Do I need to create another SSID on the WLC and how the guest users will acquire ip, from WLC DHCP or Windows DHCP.
  If its Windows DHCP then Guest traffic reaches my Data VLAN
  Any Help

  We got WLC 4420 ----- Do you mean a 4402-xx
  AP 1200 series ( 5 in quantity )
  I am new to WLC, can you help me to understand
  How many SSID we can configure on WLC, does each ssid can have different config parameters.
  The AP's and the Code you might have will only support 8-16.  You don't want to configure too many (best practice is around 4) because of all the beacons that needs to be sent might cause issues with certain devices.  You can configure eash ssid the same of different, it is up to you.  Follow best practices on this.
  can we broadcast specific SSID on AP configured with WLC ( AP#1 can be used for SSID DATA & SSID Guest ) ( AP#2 can be SSID Guest & SSID Partners )
  You can create WLAN Override (depends on code - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml) to specify what AP's will braodcast what SSID's.  This can be messy if you have gaps for roaming, unless that is not an issues.
  For Guest SSID is it recommended to connect to a seprate port on WLC
  You have different options:
  You can use a guest anchor controller in you DMZ
  You can use one port on the WLC connected to your internal network and the other port to the DMZ
  You can trunk vlans and use ACL's to block guest traffic from inside networks.
  All this depends on you current infrastructure and if you plan on buying more equipment or use the existing.
  Instead of creating Guest Users on WLC with time restriction, can this be done third party with ease of management. ( Office secretary can give access to internet to guest )
  You can use a NAC Guest Server... if you want to spend a lot of money.  You can configure a Lobby Admin account on the WLC so that the secretary has only read/write to add guest accounts.  This would be the same if you have WCS with a lobby admin account.
  http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1078208
  How to have bandwidth control on WLC, restrict users with bandwidth limit
  You would need to use a 3rd party tool for this like ZoneCD or again you can use the NAC Guest Server.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/data_sheet_c78-456124.html
  http://www.google.com/url?q=http://cisco.com/application/pdf/paws/107630/WLC_NGS.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=1&ved=0CAgQzgQoAA&usg=AFQjCNF0eA-Z8nss7WzgpPRnFjtSdZnvWQ
  http://www.google.com/url?q=http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/DeployingGuestAccess_051308.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=2&ved=0CAkQzgQoAQ&usg=AFQjCNGKgF_wWKQaI8lqHoFfwbg0iztVFg
  Any configuration sample link with one Internet connection having DATA and Guest VLAN  using ACL to restrict  the traffic.
  I put some links above... hope this helps.  Again, it will come down to your existing environment and how much more you want to spend.  You also have to look at the time it might take to setup, will the secertary want to do this, etc?  How I see guest access..... well.... they go out a seperate internet pipe, so I don't really care about bandwidth.  Its guests so they would have to deal with that anywhere the go, even hotspost or even worse hotels:)  Make it simple and make it work... then you can add to that later when you get more familiar to configuration and troubleshooting.

• Advice regarding house guest internet access through Airport Express

  I would like to set up trouble-free (on my part and my house guests) access to the internet. Any thoughts or suggestions? It seems to me that if folks may have reasonable access to cable/satellite TV and telephone, or what have you, it is also reasonable to make available to them the internet. What is the best way to go about doing this? I have an existing home wireless system using Airport Express (may also work in a Netgear WG614 wireless router). Mostly, I am concerned with the technical aspects but would also like to hear from anyone regarding the legal/social ramifications. Any such solutions must take into account both Windows and Mac environments. Thanks.
  17 in. iMac G5 ALS (1.8 GHz)   Mac OS X (10.4.5)   iMac G3 DV (400 MHz), Airport Express, 3rd gen iPod

  Meme,
  A nice touch, and one that made me choose one small hotel over another when I used to travel a lot.
  I can't give a complete solution, but I can give you bits of info, which others will also do.
  One thing that probably is a must, is to set Wireless Isolation. That is that although all the wireless clients can see the internet, they can't see each other. I'm not sure that the AE supports this, I honestly thought it did, but now I can't find it. The Netgear will support it.
  Wireless encryption will be a must too, you may even want to make it a "closed network", so that the network does not advertise it's presence. Clients wishing to connect must specify ("key in") the network name and connect. That may be just a little too difficult for some business travellers. Back to wireless encryption, some may say to use some ultra-modern hi-tech secure encryption algorithm to be really safe, but these are enormous long passwords that your clients will have to key. Those with older computers may not support the latest encryption methods. Some may recommend WPA, I'd say WEP (more compatability) and a simple (non-dictionary) password, like "@pple" or "@irPortXPr3ss" or any easy to communicate word(s) with a few letters replaced by vowels or (printable) symbols. It is up to you how often you change the password.

• Using Gigabit Adapter for intranet access, wireless for internet access

  I have a PowerMac G5 I have been using with a built-in wireless adapter for a couple of years. I also have a Windows PC with a wireless adapter as well. Both of these access the internet over my AirportExpress connected to a cable modem.
  I wanted to take advantage of the Gigabit adapter in the PowerMac for copying files directly between the computers, so today I installed a Gigabit card in the PC and connected the two through a Gigabit switch.
  Unfortunately, I can't seem to get either the Mac or the PC to get valid IP addresses, let alone talk with each other.
  Any idea what I need to do on the Mac to get it to use the gigabit adapter for intranet traffic? I am guessing whatever I do on the Mac I will need to also do on the PC.
  Thanks!
  Brian

  What you're trying to do is called 'dual homing', and it's not really supported by OS X's automatic network configuration, though 'Internet Sharing' is close.
  I'd avoid it if at all possible. Connect the computers and the cable modem to the Gigabit switch. If the switch doesn't have routing capability, you might need a router also, to provide DHCP and NAT services. This would save you a lot of grief compared to figuring out how to set up the Mac and Windows for dual-home operation.

• Wireless Guest Athentication Requirement

  Hello,
                 We have one wireless guest authentication requirement.
  For any guest coming should get connected to SSID and need to redirect to  a Web portal application form ,there guest should request desired Username, and password and duration for wireless guest internet access.
  This request alert should go to IT team and they will verify and create account with requested username, password with specified duration
  Please let me know if we can do it in WLC .
  With Regards
  Dev

  To complete this task, Please refer this guide:
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf

• WRT54GS Internet Access Restriction Policies

  I am finding it challenging to correctly define Internet Access Restriction
  policies on my Linksys WRT54GSv4 wireless router. Documentation does not
  describe multiple policies being enabled.  I think that multiple policies
  should be from most restrictive to least, but I am not sure.
  I wish to deny Internet access from my child's WII and PSP from 10:30 PM to
  6:30 AM.  Also, I want to filter all hosts for blocked words and blocked
  sites.
  Currently, I have three policies:
  1) Child_Evening --
  WII and PSP MAC Filter
  10:30 PM to 11:55 PM
  Deny
  2) Child_Night --
  WII and PSP MAC Filter
  12:00 AM to 6:30 AM
  Deny
  3) SiteWord --
  IP Range 192.168.1.2 - 254
  Block Various Sites
  Block Various Words
  I would like input as to the correct use of multiple Internet Access
  Restriction policies

  create an Internet Access Policy:1. Internet access Policy - 1
  2. Enable.
  3. Child Access(Name of the policy)
  4. Deny range 192.169.1.252
  5. 10:30 PM to 11:55 PM - Everyday
  6. Blocked Services - All
  7. Port Range Start - 1  ;  End - 61000
  8.Save Settings
  9.Rebooting....
  You deny all access through by all services to any sites.
  Create the same policy with different number and name to deny access  from 12:00 AM to 6:300 AM..
  Url Filtering Policy to deny adult sites, they're too much with different url address.You can deny most of them,but not all.
  Good Luck!!!!!
  Message Edited by gochev_george on 03-16-200702:47 AM
  Message Edited by gochev_george on 03-16-200702:54 AM
  Thanks
  Kind Regards
  ing.George Gochev
  DSL and Telecommunications Engineer

• Wireless guest and HTTPS sites issue

  Dear all,
  I'm experiencing an issue with wireless guest, when accessing a site with https, the traffic is not intercepted by my controller, http sites are intercepted without any issue, I've found a document where this issue is mentioned as bug ID CSCar04580
  http://cisco.biz/application/pdf/paws/108501/webauth-tshoot.pdf
  could you please let me know what the fix is?
  Thanks,

  Thanks for the feedback, however I've added the 443 port and the traffic
  is still not redirected.
  AP Fallback ................................ Enable
  Web Auth Redirect Ports .................... 80,443
  Fast SSID Change ........................... Disabled
  802.3 Bridging ............................. Disable
  Any other suggestion?
  Thanks,
  Aziz

• RV042 Windows incompatibility HTTP Connections between Subnets without Internet access

  Hello, 
  We are a company of the banking sector
  We have two RV042 Router.
  One of this Router (R1) is configured for restrict users without internet access. This router doesn´t internet connections, the Wan ports are blocked.
  Router 1: restricted users
  Router 1 IP Lan: 10.22.4.1/24   
  Router 1 IP Subnet 1: 10.22.1.2/24 (For communication with Web Servers on Lan 10.22.1.0/24)
  Pc1: 10.22.4.3/24
  DNS: 10.22.4.51/24 (This DNS Server have an Internet connection through subnet 2)
  The other router (R2) has an internet connection through the wan port for the access of the DNS Servers for respond to request of clients, and a web server in this subnet
  Router 2:  Web Server´s LAN and Internet Connection for the DNS Server
  Router 2 IP Lan: 10.22.1.1/24
  Router 2 IP Subnet 2: 10.22.4.2/24 (For communication with restricted user on Lan 10.22.4.0/24)
  Web Server: 10.22.1.60/24
  We need to access the web server from the network restricted users.
  From Linux Operating System, the access to web server its ok
  But, from Windows Operating Systems, we can´t access to web server. Time Out
  So, we think that there are some incompatibility between the Router RV042 and the windows operating systems 
  On the website of microsoft, there is an article regarding an incompatibility issue with the RV042 which could help
  http://support.microsoft.com/kb/934430
  we copied a file attachment.
  Thanks, sorry for bad English

  Hi,
  Have you also tested configuring static route?
  I am asking that, because RV042 does not support VLANs and following that cannot do inter-VLAN routing. Configuring subnet with Multiple Subnet option is only giving access to this subnet to internet. Unless a static route is not configured as where this traffic to be routed in the LAN, the router itself normally will drop the packet.
  If it works for you, this leads me to the thought that there is other routes that packets from LAN 10.22.1.0 to LAN 10.22.4.2 (and vice versa) are taking, but not necessarily the routers.
  Here I can just give a direction of where to look, but if you think you checked all possibilities, it would be better to contact the support line. They will help as long as the device is under warranty.
  Hereby the contacts:
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Kremena