WLC ACL blocks internet only on Nook tablet

Similar Messages

• WLC ACL For Internet Access Only

  I've implemented  Cicso ISE 3495's with the advanced subscription license.  I've built my policy sets, and authorization profiles.  It all works great!  Here's the issue that I'm having.  I have internal employees who bring in their own devices (BYOD).  I want to allow them onto the secured SSID that I've created, but only want to give them access to the intra/internet.  I've created an ACL (EmpInternetOnly) on the WLC.  Here are my rules:
  I can get to the intranet, with no issue (ACL lines 1-4).  I can't get to the internet whatsoever.  I see everything falling down to the deny statement.  When I remove the deny statement (ACL line 14), and put a permit all, then the internet works with no issue.  Am I missing something here?  I've researched this topic on several message boards, but can't find an answer.  I've tried to run the acl debug, on the controller, but do not see any output when I run it.  It might be because I don't understand the proper format of how to set it up.  Any and all replies would be much appreciated!  Thanks!
  Steve

• Guest SSID internet only

                     I am looking for the best practice of securing internet only SSID on controller. Would I use acl on controller for that ssid or on prtinemt interfaces to keep guest traffic from accessing networks that it souldn't?
  thanks,
  Jerry

  The way I did it, I didn't use an anchor controller...forgot to mention that.  I only have one 2504 controller.  Of course setting up an anchor is better if you've got one.
  One question:
  The guest traffic will be encapsulated in CAPWAP, thus putting the guest data onto the internal vlan which the APs use to communicate with the WLC.  The WLC then strips the CAPWAP header and process the guest traffic appropriately, forwarding it to the appropriate gateway as necessary.  This being the case, the guest traffic is making its way onto the internal LAN while being sent from the AP to the WLC.  Given that the guest traffic is encapsulated in CAPWAP, I don't think this poses a security risk (allowing the guest traffic onto the internal vlan via CAPWAP), does it?
  I forgot also to mention that I have a dedicated vlan for WLC <--> AP traffic.  ACLs are applied to this vlan so that no other traffic is allowed in or out.
  In absense of an anchor controller, this is the best way I can see to do it.
  I hope the above question is clear.

• Best way to have internet only wireless network

  Our current way of configuration for this is standalone ap's with multiple ssid's. The main network ssid's are on the 10.0.0.0 networks. The internet only ssid is on the 192.168.1.0 network. ( this is a wireless network only,no wired) They all get there dhcp address from a layer 3 switch. To prevent the wireless 192.168.1.0 intenet only network from getting to the 10.0.0.0 networks, we just put a simple source & destination deny acl on the in vlan interface of the 192.168.1.0 network on the layer 3 switch.
  Now that we are impementing a Cisco 2504 controller, the management and ap manger are both on the 10.0.0.0 network.( both on port 1 with dynamic ap manager enabled)  I can setup as many ssid's on the 10.0.0.0 network and they all work fine. But when I setup the 192.168.1.0 internet only ssid it will not connect. I'm assuming that its because the 192.168.1.0 network or anyone trying to connect and use that network has to go through the controller located on the 10.0.0.0 network. I'm thinking that the acl on the vlan interafce is the problem.
  Please correct me if i'm wrong here on any of the above thinking. So, if I'm correct, what is the best way to setup a separate internet only network through the private networks? I'd appreciate any advice on this subject as I'm new to the lan controller way of doing things.
  Thanks

  So it should be working, you may need to disable proxy on the WLC.  Controller > Advanced > DCHP and uncheck the proxy box.
  If you do this, you need to make sure you have ip helper-address configured under the L3 interfaces
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• PXE boot OSD connects to Internet-only Management Point. A bug?

  So here is the deal: SCCM registers the Management Points to be used in DPs PXE in a Registry file, it is done in alphabetical order (or install order), so all PXE boots will always connect to the first MP (Microsoft, WTF?). In my case, the first is an INTERNET
  ONLY MP, why would PXE Booted OSD connect to that? Brrr..
  Solution is to edit the registry, put the MPs in the right order and then it works like a charm.. until some SCCM maintenance task overwrites it with the default MP list, including internet only MP as first.
  MPs don't respect boundaries and I cannot just block the ports (OSD will be slow, it first tries to connect to the internet MP, times out, then uses the next one).
  A) This behaviour is a bug. PXE Boot should NEVER connect to Internet Only MP (OSD is not supported for IBCM).
  B) Does anybody know what maintenance overwrites the DPs registry key "ManagementPoints"?
  I cannot just use one MP. All external MPs are configured for internet only, internal MPs are configured intranet only. 
  Ideas?

  The distribution manager on the site server is the component that populates the MP list on the registry of DP/PXE.
  Dist mgr currently writes all the MPs and does not filter-out the internet-facing MPs.
  Even if you manually edit the registry on the DP, dist mgr will over-write it the next time it updates the DP. You can try to put an ACL on the registry key which prevents the site server from updating it. However, the DP will never get updated by the site
  for other things.

• Blocking Internet to few users alone

  Hi 
  in my network I have a cisco 1941 router and 3750 switch. Users are configured on vlan 2 with a/24 range. I need to block Internet and allow email for selected users.
  i try to exclude the selected user from getting natted so their internet will be blocked but it's prevented the users from email too (users can send email but not receive). The users uses pop account to get there email
  so how to block the Internet to selected users but allow only email.
  regards
  logesh

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Assuming you have an ACL to block your /24, add an ACE to allow access to known email server IPs or open up the ports used by pop (usually port 25), or do both.

• How to connect iphone 4s to nook tablet

  Where can I get a cable to hook an iPhone 4s to a nook tablet?

  For what?
  If there is such a cable, you wouldn't be able to do anything such as transferring data.
  I believe the only cable connection for a NOOK is for charging the battery.

• Wireless Guest Internet Only Access

  We just got our 4402 WLC with 1131ag access points up and running. We would now like to set up guest access with only internet access. Our vendor has suggested setting up a dmz on our checkpoint firewall and have it do dhcp and then setting up a wlan on our controller for the guest access. My question is: what do I need to do on the switch side to set this up? Is is just as simple as creating a vlan and giving it an ip address in the dmz range? Or is there another way of setting up internet only guest access?
  Any suggestions would be appreciated.
  Thanks in advance.
  Jeff

  It depends if all you are wanting to do is Internet-only on you controller. If thats it, then you can place your controller in a dmz. Have a device handout the dhcp information to your clients. Set your controller for layer-3 mode. Have your APs connect to your controller (make sure you have the correct ports allowed through your firewall between the APs and the controller). I would recommend placing the APs on a seperate VLAN than other internal traffic with the appropriate LWAPP options configured in the DHCP scope.
  The clients will then associate to the SSID you have setup. They will pull an IP address from the DMZ.
  A few years ago on my first LWAPP deployment, I did this setup and it worked perfectly. I would also recommend having the DHCP server in the DMZ assaign an IP address that is not routable in your internal network. That way, if somebody makes a mistake and their is leakage, the traffic can't be routed anywhere since the source IP address of the wireless client isnt routable. You can use this DMZ controller access for Internet only which can also be used by internal people to VPN back to you internal network if you have that permitted.
  If however, you are planning to do both direct connection to your internal network and an internet-only connection (two different SSIDs) the best way is to get a small controller for your DMZ (like a 4402-12) and a larger controller for internal (4402-25 or 4404-100). Have your DMZ controller be a guest internet controller that is setup as the guest "anchor". There are lots of docs on the Cisco web site. This solution works great. I use a 4402-12 as a DMZ anchor and have about 20 4404-100s that are anchored to it.

• I cannot get my iMac with built-in airport to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is completely off.  What to check next?

  I cannot get my iMac with built-in airport wi-fi to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is disabled.  What to check next?

  On an additional note, I've purchased a wireless router and everything connected on the first attempt.  It just vexes me that the built-in wireless isn't working as a router.  Is this another example of "Mac only plays with Mac"?

• Firefox either closes suddenly when I click on the address bar after startup or it hangs and also blocks internet explorer from loading

  On my Windows XP sp3 system the current the last two releases of Firefox both exhibit the same behavior. When I launch Firefox it will either shutdown within seconds with no crash reporter or other error logged or it will hang completely and indefinitely. When it hangs it also blocks internet explorer 8 from loading. I have tried and followed all the steps in the crashing FAQ including safe mode, uninstalls, re-installs, profile deletes (even the profile dialog closed suddenly). I use Norton Internet Security version 18.6.0.29. A full virus scan does not find any problems. I have disabled all toolbars, plugins and addons and the problem persists. Google Chrome, Internet Explorer and Opera all work fine. Only occasionally does Firefox load and keep running. It's as if it is failing on some check at startup and either crashes or hangs most of the time.

  That is a Flash Player that plays an MP3 file.
  *http://instantteleseminar.com/?eventid=29457633
  *http://ds1.downloadtech.net/cn1086/audio/59175301551694-002.mp3
  Is Flash installed and working?
  *http://www.adobe.com/software/flash/about/
  *http://helpx.adobe.com/flash-player.html
  *http://helpx.adobe.com/flash-player/kb/troubleshoot-games-video-audio-flash.html
  Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.org/kb/Safe+Mode
  *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

• Please help: Nook Tablet app development with AIR/Flash CS5.5?

  Hello,
  I developed my first-ever iOS app using Flash CS5.5 (the app has stability issues, addressed in a separate thread).  Next on the list is Android deployment.
  Can anyone indicate if Flash CS5.5 can be used to develop Android apps for the Nook Tablet?  My problem is that the Android-based guidance I've read tells you to take your Android device and configure it for "USB Debugging."  The Nook Tablet has no such setting, unlike many other Android phones and tablets.  Basically, I need current step-by-step guidance on Android development, plus any guidance on anything different that needs to be done for the Nook Tablet.  Thank you for any advice.

  Hi, I can confirm that you can develop apps for the NOOK color and tablet. You must use Air 2.6 since the device is pre loaded with that version of air.
  Some devices dont support USB debugging, like my kindle fire however a more painful way of doing it is to publish out an apk and then manually load it on to your device either through a file manager of some sort or by emailing yourself the file and then installing it. Be sure to enable your device to accept unknown source files.
  I recently published a couple of apps to the NOOK store that I had only tested on an HTC phone and the kindle fire and they both passed the test so I believe the NOOK seems to behave very similar to most android devices and the kindle fire, same dimensions at least as the KF.

• Can I Convert My 5GB Internet Only to Phone Plan???

  Hmmmm, over 50 views & not one reply to my earlier queery . . . perhaps I did not phrase my question clearly.
  I currently have a Verizon 5GB Internet Only plan that I started in December 2010 with the acquisition of my MiFi 2200 HotSpot.  At first all was great, but in the last two months, not only has the speed degraded to the point where it's not even worth trying to download a video from YouTube or partake in a conversation with friends, but my usage seems to have gone through the roof!
  Before I was using 3 ~ 4 GB / month, two months ago it was 5 GB & this past month, I had to pay an extra $10 for my overage of 1 GB.  I am only home during the evenings & early mornings, and only have my mac mini & mac book currently hooked up to the network which I have been told is "well-protected" & secure.
  That all said, I am less than thrilled with the MiFi HotSpot system & am exploring other options for my internet access.  I currently have my cell phone with another carrier & that contract will expire in two months.
  What I wanted to know, was if there was a way that I might be able to "transfer" the balance (18 months) of my Verizon contract to a cell phone plan without incurring the exhorbitant Early Termination Fees.
  Any help or ideas would be much appreciated.

  I would like to thank all of our community members for your support.  Here is the deal, since you are under contract if you cancel the line there would be an Early Termination fee.  However, as a loyal customer we will allow you to turn the line into a voice line.  You will have to provide your own phone or purchase a phone at full retail value.  There are always rules regarding data lines and this solution will not fit every case.  I recommend that if anyone else is thinking about switching their lines from data to voice or vice versa, that you call our customer service department to discuss you individual options.   
  Our Customer Service Department is open from 6:00 a.m. to 11:00 p.m., daily. If you wish to speak to a representative, please call  1-800-922-0204 from a different phone.

• How to block internet connection for a period of time?

  Hey guys is there a way to block internet connection via a lan connection for a period of time? A program that when my pc is boot up it run secretly and at the time schedule it block the internet connection with no pop up. When i not at home some person
  used my pc to use my internet connection everyday. I can't lock up my pc since my brother or my dad used it.
   

  Hi,
  You could create a schedule task to achieve this.
  The detailed solution please refer to this thread:
  https://social.technet.microsoft.com/Forums/en-US/7544cbed-507d-4eef-907d-bafb99b45411/disable-internet-for-a-set-period-of-time?forum=w7itprogeneral
  Karen Hu
  TechNet Community Support

• When Firefox last automatically updated, it suggested that Adobe reader needed updating, now, with Adobe Reader 8, I can no longer print from the internet, only to file. Help please.

  When Mozilla Firefox last automatically updated, it suggested that Adobe Reader needed updating. After updating to Adobe Reader 8, I can no longer print from the internet, only to a file. I know the printer and its interface must be OK because Word prints normally.

  Problem solved, it was my oversight, I had not removed the check from the Print to File box in the print set up.

• Blocking internet access in a virtual windows xp box

  Is there a way to block internet access when I have a virtual windows xp box within Windows 7?
  The reason, is I just want to run one application and restrict internet access as I some users are restricted from the internet.
  Thanks
  John

  Hi, Juke.
  I'm afraid I'm a dummy, and don't know how to do this. I'm sure as April 8 approaches, a lot of people with important DOS or XP apps will be wanting to insulate their XP VM from potential hacking while still running programs locally.
    Thanks -- Dave K.