WLC web authentication ACL to allow internet surfing only

Hi forumers'
I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
i also try on this ACL at my core switch but seem not success.
ip access-list extended ACL-VLAN-20
permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
permit tcp 172.16.20.0 0.0.0.255 any eq 80
permit tcp 172.16.20.0 0.0.0.255 any eq 443
deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
int vlan 20
ip access-group ACL-VLAN-20 in
any problem with it?
well, as long as can block web authenticaiton user only goto internet then serve my purpose
thanks
Noel

This should work
deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31    (deny all IP traffic from guest to internal)
permit udp 172.16.20.0 0.0.0.255 any eq 53              (or list the specific servers you want them to use)
permit tcp 172.16.20.0 0.0.0.255 any eq 80               (allows HTTP but only outside as the deny stops internal)
permit tcp 172.16.20.0 0.0.0.255 any eq 443             (allows HTTPS but only outside as the deny stops internal)
but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above.  I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers.  If you want to allow that, it's better to permit the explicit servers
You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
When you do the ACL on the WLC, you need to do the inverse ACL as well.  So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
HTH,
Steve

Similar Messages

  • Ciosco WLC Web Authentication with Internet Explorer 10

    Hi my name is Ivan
    I have a question:
    Cisco WLC Web Authentication woks fine with Internet Explorer 10. I have worked with Chrome, Mozilla, IE 7 and I don't have any trouble.
    When i put the ip address https://1.1.1.1/login, the web page show me.
    Thanks for your answers
    Regards

    HUmm Im a mac guy hard for me to test. I also did a search and dont see anything about bugs. Did you make any chnages to IE10 settings ? Is proxy enabled ?
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Tablets and Cisco WLC Web Authentication

    Hi my name is Ivan
    I have a question:
    I would like to know which are the tablets that support Web Authentication in Cisco WLC?.
    Android, Samsung, others?
    And wich are the requeriments of the tablet to use this way to authentication?
    Regards
    Ivan

    Any device that has a browser which can generate HTTP(s) traffic utilizing a browser can use WLC Web Auth.  If you're question is regarding being presented "automatically" with the captive portal I have seen this can be dependent on OS.  From my reading about Droids (not hands on experience) the Android devices don't provide a captive portal query that would "automatically" bring up the WebAuth page when connected to an open network using L3 WebAuth security, but you then open your browser and try to hit any web page and you're fine.  Apple IOS can handle this automatically (in most cases)
    As long as the device can connect to the WLAN in question, open a browser, then try to navigate to some URL, it should work fine.

  • Certificate for WLC web auth - HELP

    Hi all
    I need to buy a cert for my WLC web authentication
    I have read the document below
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml              
    However, I want to fill in the details and generate the CSR via the provider im buying the cert from, thawte
    Am I ok doing all this via the provider, or do I need to use open SSL to generate the CSR?    
    Can anyone post the steps in here I need to take when purchasing and installing a chained certificate on my WLC.
    The WLC has the latest version of code.
    cheers
    Carl

    Here are the instructions for a chained certificate.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
    It's simple enough, copy and paste the chanin below the certificate when you generate the final.pem.
    Main thing to remember when compiling the final.pem use a version of OpenSSL < 1.0 as it won't install.
    If your provider will generate the CSR for you it should be fine, but you will need the private key to recompile the certificate.
    As you'll be using OpenSSL to recompile the certificate you may as well use it to generate the CSR, there's not much to it.
    Thanks
    Chris

  • Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

    Hello,
    I have configured a Guest SSID with web authentication (captive portal).
    wlan XXXXXXX 2 Guest
     aaa-override
     client vlan YYYYYYYYY
     no exclusionlist
     ip access-group ACL-Usuarios-WIFI
     ip flow monitor wireless-avc-basic input
     ip flow monitor wireless-avc-basic output
     mobility anchor 10.181.8.219
     no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     security web-auth
     security web-auth parameter-map global
     session-timeout 65535
     no shutdown
    The configuration of webauth parameter map  is :
    service-template webauth-global-inactive
     inactivity-timer 3600 
    service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     voice vlan
    parameter-map type webauth global
     type webauth
     virtual-ip ipv4 1.1.1.1
     redirect on-success http://www.google.es
    I need to  login on web authentication on HTTP instead of HTTPS.
    If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
    I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
    Web Authentication on HTTP Instead of HTTPS
    You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
    For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
    For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
    On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
    Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
    Thanks in advance.
    Regards.

    The documentation doesn't provide very clear direction, does it?
    To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

  • WLC 4400/Web Authentication and proxy autodiscovery

    We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.
    We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.
    My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?
    Regards,
    Rutger

    The reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.
    The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.
    Lots of documentation about how to achieve this via CCO.
    Regards,
    Richard

  • Repeated wlc 5508 client web authentication

    I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface.  the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
    I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC.  For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
    I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
    The WCS screenshot shows a good example of how often this occurs!  Is the client actually re-associating with the AP (which in turn would require a web reauth)?  Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
    I do have a TAC case opened up, but was wondering if anyone has experienced this before?
    Sorry for the rambling...

    Rene,
    I did several things and at least one of them seemed to resolve the issue:
    These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
    1.       Upgrade WLC to 7.0.98.218 [self explanatory]
    2.       Upgrade WCS to 7.0.172.0 [current version, as of this note]
    3.       Increase DHCP scope time on ASA from default (30 minutes) to 4
    days [DHCP running external from the WLC]
    4.       Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
    5.       Increased session timeout from 14400 seconds to 64800 seconds
    (4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
    I think that the TKIP and/or DHCP setting was integral as part of the resolution.  I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
    Good Luck,
    Rob.

  • Wlc flexconnect wlan local authentication and central web authentication maximum rtt

    Hi
    From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
    Is this limitation refer to web authentication also?
    Thanks
    Anyone???

    Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup. 
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings). 
    Also, the version of code that you are running in ISE and your controller. 
    Thank you for rating helpful posts!

  • WLC MOBILITY GROUP SINGLE WEB AUTHENTICATION

    Hi.
    I have installed two AIR-WLC2112 with mobility group configured and authentication web.
    I want to know if you can create user / password web authentication only in one  WLC.
    Now, when I create a new user / password , I have to create in two WLC.
    Thanks

    Inorder to validate a site issuing a certificate , client should be loaded with a certificate from same Certificate Authority. Else ignore the warning and continue to the site. If you want to know if the site is valid , click on View certificate on the warning page and see if it belongs to the website.

  • SNMP web authenticated users wlc 5508

    Hello everyone,
    I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
    I am using an external web server and my client are authenticated with ldap.
    I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
    Can anyone help me ?
    Thanks a lot for your answers.

    Hello Julien,
    Thank you for the info. +5 for solving your own problem.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

    Hi All,
    I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
    Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
    Thanks,
    Kashif

    Hi,
    if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
    Lemme know if this answered ur question!!
    Regards
    Surendra

  • Delayed Web Authentication on 5500 WLC

    Hi
    I have setup a Guest WLAN on 5508 WLC with web authentication, I noticed during tests that it takes about 2 to 3 minutes to complete authentication process and providing access to the client machine. My WLC is running version 7.3.101.0.
    Has anyone came across similar situation or can suggest a solution to this issue?
    Feel free to ask if you need more details.
    Thanks
    Sunil

    Well what I would do for testing is the following:
    Remove WebAuth to see if there is an issue with connectivity on that subnet
    Map the Guest WLAN to a working subnet or create a new SSID and map that to a known working subnet
    If your using a custom WebAuth, try using the default internal WebAuth page to see if there is any difference
    If your authenticating Guest using radius, check the radius logs for errors
    Is it all devices or is it an issue with few or a certain model
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • WLC Client excluded - web authentication failed 3 times

    Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
    An example of the alert generated in the event of an excessive authentication failure is as follows:
    Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
    E-mail will be suppressed up to 30 minutes for these alarms.
    I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
    - What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
    - If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
    - If necessary could e-mail suppression be turned off - for this alert only?
    Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
    BR
    Rockford

    There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
    http://support.microsoft.com/kb/883619

  • Problems with re authentications in a wireless with WLC working with web authentication and a radius server

    Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
    When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

    A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
    I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
    Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
    You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Wlc 5500 authentication timeout

    I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)                  

    Scott-
    Here are the results of the sho WLAN cmd:
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... OBSD BYOD
    Network Name (SSID).............................. OBSD-BYOD
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Number of Active Clients......................... 25
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. Infinity
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ g9c-guest
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... Guest WiFi Internet Only
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Global Servers
    --More-- or (q)uit
       Accounting.................................... Global Servers
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Enabled
    ACL............................................. Web Auth
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
    --More-- or (q)uit
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status

Maybe you are looking for

  • Get URL from embedded Flash AS3 movie

    I have a thumbnail scroller app built with AS3 on my website homepage. I have the class files but would like to know of any quick workaround to make the embedded Flash movie clickable without reworking the AS3 files. What I would like to do is if you

  • Pages sorts merged documents by FIRST name?

    I drop a bunch of names & addresses from Address Book onto a Pages merge document. The address data is sorted by last name. Pages creates a new merge document, but now everything is sorted by FIRST name. Kinda makes mailouts a bit a of pain when othe

  • Link into Web Console to a Specific Workstation

    At our customer, we are running ZAM 7.5. Ist there any way, to link into the Web Console from outside, to a specific workstation? e.g. http://myserver:port/rtrlet/rtr?wksname=MyAssetTag The service desk is working with another tool, to deal with user

  • Problem of update rows in data object

    Hi everybody, I got the error message. Cannot update rows in data object /Samples/Monitor Express/BI_default_Project1_Process1.java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 Please advise!!!!

  • Production order -plan cost

    Dear all MY scanerio is MTO . A is a header material and B is a component .both material is having individual indicator 1 in material master. sale order----mrp run ---plan order generated. when i have converted  plan order to production order ,bom ha