Hi all,
So I'm in the process of setting up an IAP WiFi network to deal with corporate WiFi access on SSID1 and guest WiFi on SSID2. I've had no end of issues getting the guest WiFi side of this working, and I've tried virtually every solution I can find with no luck
The issue: Guest WiFi connects fine but after a few seconds I get "No Internet Connection" seemingly because of a DNS probe fail
After playing around and not being able to find out where everything's going wrong I've gone with the following solution:
Local L2 DHCP Scope on the IAP linked to the guest SSID (VCM)
Network based access rules to ALLOW DHCP, DNS, HTTP/S, SMTP to all destinations
No deny rules
This seems to give me exactly what I want. I have a guest WiFi that gives me internet and email access, but doesn't let me ping or RDP to any network devices, no access to network shares etc. But my question is, am I actually getting what I'm seeing? Is there a way someone can still access the corporate network from the guest WiFi that I'm not aware of? Is there any reason for me to explicitly deny access to corporate network subnets if I only have allow specified for certain services?
So far every time I've tried to include deny rules something breaks the guest WiFi along the way and I just can't find it, so if this setup is secure then I'm not too fussed about tearing the rest of my hair out