A minimal access control role that meets these requirements is shown in Figure 7: A Minimal Access
Control Role for External Captive Portal on page 26. The role’s default action (applied to all traffic not
matching a policy rule) is to contain to VLAN 16 (External CP). The first policy rule allows access to port
80 on 18.104.22.168, which is the external captive portal server in this example, and resides on VLAN 16’s
subnet. If this was not the case, then a rule allowing access to VLAN 16’s gateway server might be
required. The second and third rules allow DHCP and DNS traffic to and from the user.
The role does not contain an explicit rule for handling ARP messages. In this case, an ARP request or
response for an address is filtered via the role exactly like an IPv4 message sent to or received from the
The last policy rule denies all traffic not matching a preceding rule. This will catch all HTTP traffic not
sent to 22.214.171.124. When the role is applied to an unauthenticated user on a WLAN Service using captive
portal authentication, the user’s HTTP traffic will trigger a redirection to the captive portal page.
This role is extremely restrictive. As already indicated, a rule allowing access to the gateway is required
if the captive portal does not have an interface on the same subnet as the authenticating user.
Additional resources can be made available to an unauthenticated user by adding rules that allow
access to them (rules with an action of “Allow” or “Contain to VLAN”).