12-11-2012 03:34 AM
Hi, I have 4x IAP105 accesspoints. I enabled the guest access with separate SSID and role based policies. Here are the details:
Primary usage: Guest
Vlan: VC assigned
Splashpage : Internal authenticated
Auth Server: Internal Server
Re Auth Interval : 30 Mnts
Internal server: 2 users
Http-Access to all dest.
Https-Access to all dest.
DNS-access to all dest.
any-deny-to all dest.
So, to my question now. My goal is to protect the guest looking at my internal network. They only required to browse the internet. They should not ping, telnet, search servers etc. And they should receive authentication screen before browsing started.
But, now, with above configuration, they are able to use the outlook, they can browse the internet without authentication! but they cannot ping to the servers, thats good. I am surprised why the authentication screen dont display to them.
Please let me know what is the best practice for the guest network and what access policies should define and what is the order of the policy placement.
Thanks for your support.
12-11-2012 05:40 AM
You are doing the policy incorrectly
Withyour policy you are allowing http access to all the internal servers
dns access to all internal servers and also https access to all internal servers
The rule should be like this
Let say your internal networks are
all access deny to 192.168.1.0/24
all access deny to 192.168.2.0/24
all access deny to 192.168.3.0/24
all access allow dns to all destination
all access allow http to all destination
all access allow https to all destination
That if you just want to allow access to http https and dns to the internet
Now remenber that if you got a webfilter and the ip address of the AP is the one that you need to use.... i dont know if you understand this part?
You need to use the IP addresses of the APs to use the webfilter correctly.
Product Manager - Aruba Networks