How to create a Guest network on EWC C5210, and only allow guests to get on internet, not the internal network, with login required.

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
How to create a Guest network on EWC  C5210, and only allow guests to get on internet, not the internal network, with login required.
Photo of Laura

Laura

  • 982 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Jason

Jason, Employee

  • 3,544 Points 3k badge 2x thumb
Hi Laura, 

The easiest way to do that is using the VNS wizard by selecting "New..." in the Controller VNS menu. Select "Start VNS Wizard, and create a Captive Portal topology, and in the next screen choose GuestPortal from the Authentication Mode drop down.  Continue through the wizard which will step you through setting up the Topology and subnet that guest users will be on, and add in what AP's you want to broadcast the SSID.

After saving, this will set up a default non-authenticated and authenticated Role for the guest network.  To restrict users to the internet only, you can go to the Role > Authenticated Policy > Filters and add a Deny statement at the bottom, and then add in Allow rules for DHCP, DNS, HTTP, HTTPS above that.  

If you would like to use an existing Topology for guest users, but still restrict them to the internet only, you can change the Contain to VLAN be any L3 topology that is configured. 

To configure guest user login access, go to WLAN Services, select your guest WLAN. Then select the Auth & Acct tab and Configure to add user names and passwords, time of day restrictions, etc.

 Hope that helps. 

Regards, 
Jason
Photo of Andre K.

Andre K.

  • 356 Points 250 badge 2x thumb
A topology tells your APs how to handle the wireless client's traffic. There are two kinds of topologies.
1. Bridged at AP: the client's traffic is bridged directly to the switchport that your AP is connected to. You can either bridge it untagged or tagged there.
2. Bridged at HWC/EWC: The client's traffic gets sent to the controller first and is egressed through one of the controller's physical LAN-Ports. Again you can choose to egress it either tagged or untagged.
Regardless of what configuration you choose, you have to make sure that the corresponding switchports where either your APs or your EWC are connected are configured accordingly.

Sooo. Let's say you want to put all your guests in VLAN 555 and egress their traffic through EWC's esa0 port. For achieving this, you create a new topology of the type "Bridged at EWC". Choose "tagged", VLAN ID 555 and port "esa0" . Make sure your switchport egresses VLAN 555 tagged to the EWCs esa0 port though! When configuring the VNS for your guests, you configure it to use this newly created topology.

Hope this helps.
(Edited)
Photo of Laura

Laura

  • 982 Points 500 badge 2x thumb
going through the vns wizard... is there a way to apply the guest ssid to specific APs, to test it out, or do I have to apply to everyone.
Photo of Laura

Laura

  • 982 Points 500 badge 2x thumb
For the VLAN ID: do i just make one up?
the Interface IP: is the IP of the controller, correct?
Photo of Jason

Jason, Employee

  • 3,544 Points 3k badge 2x thumb
Laura, 

You can use a bogus IP address in the wizard and then map it to a valid Topology with an IP address.  There must be a L3 address available in order to direct users to the portal page for authentication.  

Thanks, 
Jason
Photo of Jason

Jason, Employee

  • 3,544 Points 3k badge 2x thumb
Also - you can enable/disable individual AP's to the portal SSID in the WLAN Services screen.  
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 44,984 Points 20k badge 2x thumb
Hi Laura,

to separate it from the internal network use a bridge@EWC topology and tag it into a dedicated VLAN with only your firewall/internet access.
Or if you've a port unused on the controller you'd directly connect the controller to the ISP modem.

I've wrote a short document about guest portal configuration, hope that helps....

https://app.box.com/s/p8q9shj6h8po3sc7bxalgm1xuktpsm70
Photo of Laura

Laura

  • 982 Points 500 badge 2x thumb
do you have an example for ewc 5210
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 44,984 Points 20k badge 2x thumb
it's the same for all models - the only difference is that some have more physical interfaces and could support more APs.
Photo of SILAMBARASAN SELVAM

SILAMBARASAN SELVAM

  • 200 Points 100 badge 2x thumb
Hi am having only local physical connection in my network 192.168.1.0/24 for that i have to create guest portal access is that possible. Because it is an physical interface i can't able to create through the V2110. Can you please help me on this

Local n/w: 192.168.1.0/24 - physical topology-->esa0
DHCP---> from the router
I have to enable guest portal access. This is V2110 VM based. 

I don't have esa1 connectivity because it is an vm i don't have any vlan in  my network. Kindly help me n this.

Regards,
SIMBHU
(Edited)