Controllerless Networks

Hi, I have 4x IAP105 accesspoints. I enabled the guest access with separate SSID and role based policies. Here are the details:

Primary usage: Guest

Vlan: VC assigned

Security:

  Splashpage : Internal authenticated

  Auth Server: Internal Server

  Re Auth Interval : 30 Mnts

  Internal server: 2 users

Access:

  Http-Access to all dest.

  Https-Access to all dest.

  DNS-access to all dest.

  any-deny-to all dest.

So, to my question now. My goal is to protect the guest looking at my internal network. They only required to browse the internet. They should not ping, telnet, search servers etc. And they should receive authentication screen before browsing started.

But, now, with above configuration, they are able to use the outlook, they can browse the internet without authentication! but they cannot ping to the servers, thats good. I am surprised why the authentication screen dont display to them.

Please let me know what is the best practice for the guest network and what access policies should define and what is the order of the policy placement.

Thanks for your support.

You are doing the policy incorrectly

Look

Withyour policy you are allowing http access to all the internal servers

dns access to all internal servers and also https access to all internal servers

The rule should be like this

Let say your internal networks are

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

all access deny  to 192.168.1.0/24

all access deny  to 192.168.2.0/24

all access deny  to 192.168.3.0/24

all access allow dns to all destination

all access allow http to all destination

all access allow https to all destination

That if you just want to allow access to http https and dns to the internet

Now remenber that if you got a webfilter and the ip address of the AP is the one that you need to use.... i dont know if you understand this part?

You need to use the IP addresses of the APs to use the webfilter correctly.