Wireless Access

Hi,

I am facing issue in one POC.

Customer Network

Controller ACCESS port -VLAN 10

Controller Internet port -VLAN 20

FIrewall LAN port -VLAN 10

Guest users -VLAN 20

Requirement : Guest SSID 

Customer requires controller and WAPs should be in VLAN 10 (Management VLAN)

Internet port is connected to firewall port through layer 3 switch

Here guest users (access controlled)  are able to reach every other vlan connected to layer 3 switch except vlan 10.

So there are not able to get internet.

Is this right behaviour..?

My explanation : when access controlled packets destined to vlan 10 reaches controller it will look to routing table and it will find a connected route in access port.Since its a tunneled user , packet will be dropped (stateful firewall will not allow tunneled user to go to access port network )

Is this right explanation ...?

What are your settings regarding "Ingress and Egress" on the Guest SSID? Do you have the right VLANs assigned, etc.

Are you using HTML Based Authentication or WEP/WPA/RADIUS?

Any IP Routes and Gateways configured?

Our Scenario:

Earlier in the year we struggled with connecting clients to the Internet through an Access Controlled SSID with HTML Authentication. We overcame this by configuring a Guest-SSID that egressed into the Guest VLAN (access control was not configured) Clients would connect using an 8 character WPA key changed every now and then as required.

Our firewall had an interface dedicated to Guest Traffic (IP: 172.16.91.253/24) Clients would receive an IP Address from our internal DHCP Server ( eg. 172.16.91.1/24 ) this was possible with the use of dhcp ip helpers on the Guest VLAN. Clients then had the ability to connect to the internet on a filtered set of rules by the firewall.

Hope this gives you an idea of another possible solution for Guest Access.