cancel
Showing results for 
Search instead for 
Did you mean: 

How to create a Guest network on EWC C5210, and only allow guests to get on internet, not the internal network, with login required.

How to create a Guest network on EWC C5210, and only allow guests to get on internet, not the internal network, with login required.

Laura4
New Contributor II
How to create a Guest network on EWC C5210, and only allow guests to get on internet, not the internal network, with login required.

11 REPLIES 11

Jason1
Extreme Employee
Hi Laura,

The easiest way to do that is using the VNS wizard by selecting "New..." in the Controller VNS menu. Select "Start VNS Wizard, and create a Captive Portal topology, and in the next screen choose GuestPortal from the Authentication Mode drop down. Continue through the wizard which will step you through setting up the Topology and subnet that guest users will be on, and add in what AP's you want to broadcast the SSID.

After saving, this will set up a default non-authenticated and authenticated Role for the guest network. To restrict users to the internet only, you can go to the Role > Authenticated Policy > Filters and add a Deny statement at the bottom, and then add in Allow rules for DHCP, DNS, HTTP, HTTPS above that.

If you would like to use an existing Topology for guest users, but still restrict them to the internet only, you can change the Contain to VLAN be any L3 topology that is configured.

To configure guest user login access, go to WLAN Services, select your guest WLAN. Then select the Auth & Acct tab and Configure to add user names and passwords, time of day restrictions, etc.

Hope that helps.

Regards,
Jason

Jason1
Extreme Employee
Also - you can enable/disable individual AP's to the portal SSID in the WLAN Services screen.

Jason1
Extreme Employee
Laura,

You can use a bogus IP address in the wizard and then map it to a valid Topology with an IP address. There must be a L3 address available in order to direct users to the portal page for authentication.

Thanks,
Jason

Laura4
New Contributor II
going through the vns wizard... is there a way to apply the guest ssid to specific APs, to test it out, or do I have to apply to everyone.

A topology tells your APs how to handle the wireless client's traffic. There are two kinds of topologies.
1. Bridged at AP: the client's traffic is bridged directly to the switchport that your AP is connected to. You can either bridge it untagged or tagged there.
2. Bridged at HWC/EWC: The client's traffic gets sent to the controller first and is egressed through one of the controller's physical LAN-Ports. Again you can choose to egress it either tagged or untagged.
Regardless of what configuration you choose, you have to make sure that the corresponding switchports where either your APs or your EWC are connected are configured accordingly.

Sooo. Let's say you want to put all your guests in VLAN 555 and egress their traffic through EWC's esa0 port. For achieving this, you create a new topology of the type "Bridged at EWC". Choose "tagged", VLAN ID 555 and port "esa0" . Make sure your switchport egresses VLAN 555 tagged to the EWCs esa0 port though! When configuring the VNS for your guests, you configure it to use this newly created topology.

Hope this helps.
GTM-P2G8KFN