Assumptions:
- You have PEFNG licenses
- IPs for VLAN 55 are provided on your LAN
- Controller has an IP on VLAN 55 (needed for Captive Portal redirects)
- Physical port configurations are setup to support VLAN 50 and VLAN 55
- If these are not in place, let us know.
netdestination rfc-1918-nets - (I usually use this alias for all RFC 1918 addresses spaces; but you can create your own with only your networks if you choose)
network 10.0.0.0 255.0.0.0
network 192.168.0.0 255.255.0.0
network 172.16.0.0 255.240.0.0
ip access-list session guest-post-acl
user any udp 68 deny
any any svc-dhcp permit
user alias "rfc-1918-nets" any deny - (blocks access to nets in this netdestination above; could be just your internal networks)
user any svc-dns permit
user any svc-http permit
user any svc-https permit
<allow other services you want here>
user-role guest-initial-role
captive-portal "your-captiveportal-profile" - (your specific profile; settings not included here)
access-list logon-control - (default acl or edited)
access-list captiveportal - (default acl or edited if you need to allow http/https to your captive portal server)
user-role guest-post-logon
access-list guest-post-acl
wlan ssid-profile open-net-ssid
essid "open-net-name"
aaa profile "open-net-aaa"
initial-role "guest-initial-role"
wlan virtual-ap "open-net-vap"
aaa-profile "open-net-aaa"
ssid-profile "open-net-ssid"
vlan 55