Hi Cjoshep,
firewall policy allow all to it run well for "employee" ssid.
I must config aaa profile "employee-aaa" as beloww then it run
(PCST) #show aaa profile employee-aaa
AAA Profile "employee-aaa"
--------------------------
Parameter Value
--------- -----
Initial role employee
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group N/A
802.1X Authentication Profile dot1x-employee
802.1X Authentication Default Role employee
802.1X Authentication Server Group N/A
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
(PCST) #
If i change Initial role from "employee" to "logon" then client only ping to ip address, cannot open browser.
(PCST) #show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
192.168.1.41 b4:b6:76:1a:78:4f employee 00:00:03 00:1a:1e:c7:d1:96 Wireless PCST_Employee/00:1a:1e:fd:19:68/a employee-aaa tunnel Windows
192.168.1.31 00:16:ea:5e:1c:90 employee 00:00:09 00:1a:1e:c7:ce:34 Wireless PCST_Employee/00:1a:1e:fc:e3:48/a employee-aaa tunnel Windows
User Entries: 2/2
(PCST) #show rights employee
Derived Role = 'employee'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 46/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
2 v6-allowall
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
v6-allowall
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 6
Expired Policies (due to time constraints) = 0
(PCST) # show rights logon
Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 vpnlogon
3 v6-logon-control
4 captiveportal6
logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4
v6-logon-control
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 6
2 any any svc-v6-icmp permit Low 6
3 any any svc-v6-dhcp permit Low 6
4 any any svc-dns permit Low 6
captiveportal6
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller6 svc-https captive Low 6
2 user any svc-http captive Low 6
3 user any svc-https captive Low 6
4 user any svc-http-proxy1 captive Low 6
5 user any svc-http-proxy2 captive Low 6
6 user any svc-http-proxy3 captive Low 6
Expired Policies (due to time constraints) = 0
(PCST) #
Thanks very much