Controllerless Networks

Set up.

One SSID for employee other for guest

Default Vlan 1 is my management vlan in which Controller is assigned an static IP address

Employee SSID – binded with VLAN 10 , 172.16.10.0/24 . DHCP pool created in WLC to provide IP addresses for users in employee SSID. Works fine. User get IP address in VLAN 10 and connect to internet. Source NAT is enabled, inter VLAN routing enabled.

Guest SSID – binded with VLAN 50 , 192.168.50.0/24. DHCP pool created in WLC to provide IP addresses for users in Guest SSID, captive portal is enabled and I am using internal DB for authentication. Works fine. User get IP address in VLAN 50 and  can connect . when one try to browse internet they get redirected to captive portal and authentication happens with internal DB user accounts and they can connect internet. Source NAT is enabled, inter VLAN routing disabled.

Issue :I am able to PING my internal network from guest VLAN. My requirement is that guest users should not be able to access any internal resources. How is the NAT happening In my case. Both the VLAN users are getting NATed to controller IP address? Can I NAT guest users to different IP address and apply some policy in FW to allow only https and https traffic for the guest SSID/VLAN. Can I do it in WLC? How my agenda can be achieved?

Hi,

You can achieve this through the user role( Post Auth role). create a policy which will not allow the guest to access the internal network.

Create a role with the following policy,

Step 1 : create an alias for your internal network ,

Ex:

netdestination internal_NW

(config-dest) #network 20.1.1.0 255.255.255.0

Step 2 : create policy as follows

Step 3 : map this policy to the role which is the authenticated role for all CP authenticated users

Hope you got some idea now.

Please feel free for any further help on this.