https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31339#M702 You can create a network resource that maybe all of your servers are on. 10.0.1.0/24<BR /> <BR /> You can then block all access to that network resource, but use IP socket destination to punch a hole through it, say you have 10.0.1.4 and it's a DNS server. You could create a rule to open up socket 53. Anyway, you will have to make it your own and these things very greatly! Fri, 07 Jul 2017 02:27:00 GMT Jeremy_Gibbs 2017-07-07T02:27:00Z https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31336#M699 How have you implemented guest access on your wired network? I currently have a fully segregated guest network on wireless, but nothing in place on wired. I would like to implement it on wired, but it needs to be able to switch to staff access based on domain credentials (derived from Windows if possible). <BR /> <BR /> So, ideally:<BR /> <UL> <LI>User plugs into network and doesn't have a domain account (or is in a non-staff OU) they get internet only access. </LI><LI>User plugs into network and has logged onto their laptop with domain accepted credentials they get staff access (internet and internal resources).</LI></UL> It may be better to key on machines that are on the domain first. So, if the user machine is on the domain, they will get staff access. In this case, I would like to keep the wireless authentication as is (since work supplied phones are not on the domain).<BR /> Thu, 06 Jul 2017 23:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31336#M699 Terren_Crider 2017-07-06T23:53:00Z https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31337#M700 We do this using Extreme Policy and NAC. If you are an unknown computer, not owned by the school and not in AD, you get redirected to a registration page. You will then get an internet only policy that restricts you to the internet. If you have a campus owned computer, you might be doing .1x or MAC AUTH based on groups, AD groups, end-system groups, location groups etc... The sky is the limit. Fri, 07 Jul 2017 02:27:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31337#M700 Jeremy_Gibbs 2017-07-07T02:27:00Z https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31338#M701 If possible, could you share your internet only policy? There's one that was pre-built in my Policy but it does not restrict web traffic to internal resources. Fri, 07 Jul 2017 02:27:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31338#M701 Terren_Crider 2017-07-07T02:27:00Z https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31339#M702 You can create a network resource that maybe all of your servers are on. 10.0.1.0/24<BR /> <BR /> You can then block all access to that network resource, but use IP socket destination to punch a hole through it, say you have 10.0.1.4 and it's a DNS server. You could create a rule to open up socket 53. Anyway, you will have to make it your own and these things very greatly! Fri, 07 Jul 2017 02:27:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31339#M702 Jeremy_Gibbs 2017-07-07T02:27:00Z https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31340#M703 Hello Terren,<BR /> <BR /> If you are using EXOS, you could try Netlogin feature.<BR /> <BR /> <UL> <LI>For guest user: you could use Web-based authentication and associate one vlan for guest user only. </LI><LI>For staff user: you could use 802.1X authentication.</LI></UL> Network Login Overview<BR /> <A href="http://documentation.extremenetworks.com/exos/EXOS_21_1/Netlogin/c_overview.shtml" target="_blank" rel="nofollow noreferrer noopener">http://documentation.extremenetworks.com/exos/EXOS_21_1/Netlogin/c_overview.shtml</A><BR /> <BR /> Best regards,<BR /> Fri, 07 Jul 2017 04:54:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/wired-guest-network/m-p/31340#M703 Bin 2017-07-07T04:54:00Z