Reset Search
 

 

Article

What are the rule Precedence for Wireless Controller Role

« Go Back

Information

 
TitleWhat are the rule Precedence for Wireless Controller Role
Question
What are the rule Precedence for Wireless Controller Role
Environment
Identify Wireless Controller
Version 9.21.x
Version 10.01.x
Version 10.31.x
Version 10.41.x
Answer
A minimal access control role that meets these requirements is shown in Figure 7: A Minimal Access
Control Role for External Captive Portal on page 26. The role’s default action (applied to all traffic not
matching a policy rule) is to contain to VLAN 16 (External CP). The first policy rule allows access to port
80 on 11.11.11.254, which is the external captive portal server in this example, and resides on VLAN 16’s
subnet. If this was not the case, then a rule allowing access to VLAN 16’s gateway server might be
required. The second and third rules allow DHCP and DNS traffic to and from the user.
The role does not contain an explicit rule for handling ARP messages. In this case, an ARP request or
response for an address is filtered via the role exactly like an IPv4 message sent to or received from the
address.
The last policy rule denies all traffic not matching a preceding rule. This will catch all HTTP traffic not
sent to 11.11.11.254. When the role is applied to an unauthenticated user on a WLAN Service using captive
portal authentication, the user’s HTTP traffic will trigger a redirection to the captive portal page.
This role is extremely restrictive. As already indicated, a rule allowing access to the gateway is required
if the captive portal does not have an interface on the same subnet as the authenticating user.
Additional resources can be made available to an unauthenticated user by adding rules that allow
access to them (rules with an action of “Allow” or “Contain to VLAN”).
Figure
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255