Skip to main content

Time of Day Access for Guest SSID on a Cisco WLC

By February 24, 2016September 11th, 2020Blog

II have been trying to solve a problem for a customer, they want their guest WiFi SSID to block traffic based on the time of day.   Typically the easiest way to do this is to setup a Time-of-day and attach it to the access control list on the vlan attached to the SSID. The issue was the network equipment attached to the WLC was an old Cisco 4500 that did not support time-of-day.

So to setup Time of Day access on the WLC you need to ensure the WLC is 7.6 or later.

  • Create an Access Control List (ACL): Go to Security > Access Control Lists > Access Control Lists.  Create an Allow ACL and a Deny ACL:

jh1

jh2

  • Create a Local Policy: Security > Local Policies:

Create an allow policy and attach it to the Allow ACL created above. On the Allow policy add the Active hours needed for the time of day.

jh3

jh4

  • Create another policy for the Deny ACL and times.
  • The last step is attaching the policies in the proper order to the SSID you want to block. This is done on the WLAN tab. Pick the WLAN that you want to modify and go to the Policy-Mapping tab. Add the policies you created in order, the allow policy should be the priority 1 policy and the deny policy should be the priority 2 policy.
  • Test and validate that access is both allowed and blocked as needed.

Jason Howe, PEI

7 Comments

  • rigor says:

    That doesn’t work for me. I have followed this an applied it to the WLAN (in policy mapping) I want and I can still access it. My ACL is deny all inbound/outbound.

  • Emad Rashied says:

    Hi,

    is there a way to do that using Cisco PI?

    • Stephanie Hamrick says:

      Hi Emad,

      Here’s a reply from the article’s author:

      At this time I do not see a way to do it in Cisco Prime Infrastructure. If you are going for a cloud based wireless controller, the Meraki wireless do appear to have time-based access.

      Thanks for reading!

    • Stephanie Hamrick says:

      Hi Emad,

      Here’s a response from the post’s author:
      At this time I do not see a way to do it in Cisco Prime Infrastructure. If you are going for a cloud based wireless controller, the Meraki wireless do appear to have time based access.

      Thanks for Reading!

  • Troy Chisholm says:

    Quick question for you. I followed the above myself, and when I create the allow and deny, and go to local policies and create time of day entries for allow, and time of day deny in test – when my test WLAN/SSID I apply this to has the allow and deny in policy mapping, all is fine with the allow with “1”. As soon as I apply the “deny” in policy mapping with “2” and the “time of day” still has not arrived” yet, the active test SSID is removed from my test wifi connected phone, I can view it, but can not connect to it (will not take password, etc) until I remove the deny. Even though the time of day has not arrived yet. Even if I make it hours away, as soon as deny is applied the test wifi network is hosed (even though it’s still in an allow state)
    Any ideas? Had you experienced this?
    Thanks.

  • Krittin says:

    Hi,
    I’ve tried. when I apply permit policy (priority 1) to SSID. my device can be connected to SSID as normally but when I applied the deny policy (priority 2) to the same SSID. My device can’t connect to this SSID.

  • James says:

    This solution didn’t work for me. Here’s how I got it to work.

    Create the Any Any ACL Rule. Create the “Allow” local policy and name it whatever you like. In your new Local Policy, In the “Action” area drop the menu down on the “IPv4 ACL” and select your newly created ACL. Again in the “Action” area change the “Session Timeout” values to something like 30 secs. In the “Action Hours” Fill in your desired days and time frames.

    Apply the local policy to the WLAN and test.

    I did not need to apply another “Deny” Local policy to the WLAN.

    For me this setup will allow clients to connect to the WLAN during the Day and Time frames you created. Clients will be disconnected (cannot re-auth) from the WLAN 30sec after the “End Time”. This was on a 5520 w/8.5.151.0 code.

Leave a Reply