Wireless Access

hi am trying to block 7010 WLC admin portal access (port: 4343) from Guest network but its not happening.

we created a policy (block-internal-access) (source: user, Destination: controller IP, Service: tcp 4343, action: deny) and added to Post Logon Role (Auth-Guest Role) and mapped Auth-Guest Role to Captive Portal. 

captive portla add on initial Role (Guest-Logon), Guest-Logon role add on AAA (dot1x-PSK) and finally mapped to Virtual AP.

but guest users still able to access WLC admin portal login page.

Ref attachement.

1. Block-Internal-Access

2. Auth-Guest Role

Are you sure that is the role that your users are in?

yes, it could be.

we have created a local user (as a guest) and role is assigned to Guest SSID. how can we confirm this.

also could you please help me to clarify on thing Firewall /Auth-Guest Role is assigned to Guest SSID(ex: AWNICA-GUEST), so once we assign any firewall /access-list to this SSID /AAA policy all connected user (user who is connected to this SSID) have the configured restriction, am i correct.

You have to type "show user" on the commandline or look at the user table on the monitoring page to find out what the current role of the user is.