We have a Cisco WLC and we want an open SSID for guests. We have a sign in form so they see our terms but this isn't a real liability protection. How can we block illegal activities on the open wireless connection via WLC or other technologies?
I was thinking squid + WCCP on our ASA but I'm not sure this is the best method for liability protection of the company. Are there other options that would supersede this? If this is the best option is there a best practice? Do companies normally rotate a guest account instead with 802.1x?
We have Cisco firewalls, switches and wireless infrastructure.
EDIT: specifically we would like to block torrents, site categories (guns, gambling, terrorism, etc) and VPN/proxies which would circumvent our limits.
Best Answer
From a security perspective I've found the WLCs pretty bare on their own. You can do basic ACLs but not much more. I don't think you're going to find an answer on those alone.
You can use an external web filter in association with the ASA - http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97277-pix-asa-url-filtering.html
It requires either Websense or N2H2 (now McAfee SmartFilter, I guess?), but if you happen to already have either of those products it makes doing category blocking really simple.
Home brewing a solution based on Squid or some other caching/protection software could work, but if you're talking about legal liability you've got to be awfully certain of that solution's capabilities for Legal to sign off on it.
Outside of these options you could look at something like a Palo Alto firewall that will wrap your application and URL blocking into a single package that you can just put between the wireless clients and the internet.