yes it is possible you need to create a guest SSID in split-tunnel forwardig mode.
- The controller should be the default gateway for this guest network. The intial guest logon role or the pre-auth role for captive portal should allow DHCP , DNS and should include the predefined captive portal firewall policy (if amigopod or any other external captive portal is used then this role should allow http and https to the external CP. The firewall policy that allows http/https access to the external cp should be placed above the predifined captive portal policy that redirects a user to the captive portal ).
- The post authentication role should be a role that will route scr-nat all traffic to the wan.
Sample guest-branch-logon role policies: (if you are using the internal CP of the controller you can remove the amigopod policy from the intial user role)
!
ip access-list session amigopod
user alias amigopod svc-http permit
user alias amigopod svc-https permit
!
- captiveportal (predefined policy)
- guest-branch-logon-access
!
ip access-list session guest-logon-access
user any udp 68 deny
any any svc-dhcp permit
user alias public-dns svc-dns permit
!
Sample guest logon role is (attach captive portal profile to initial role)
!
user-role guest-branch-logon
captive-portal "amigopod-cp"
access-list session amigopod
access-list session captiveportal
access-list session guest-logon-access
!
Sample auth-guest role policies:
- cplogout (predefined policy)
- guest-branch-logon-access
- block-internal-access
!
ip access-list session block-internal-access
user alias internal-Network any deny
!
- auth-guest-access (this role which is applied to authenticated guest will scr-nat the traffic to the internet or to the local subnet at the remote site)
!
ip access-list session auth-guest-access
user any svc-http route src-nat
user any svc-https route src-nat t
!
Sample authenticated guest role (this is the default role in the CP profile)
!
user-role auth-guest
access-list session cplogout
access-list session guest-logon-access
access-list session block-internal-access
access-list session auth-guest-access
!
Now create a VAP in split tunnel mode and make sure the controller is the default gateway for the guest subnet.
As long as a RAP is able to connect to a controller this should work.
Regards,
Sathya