I know this is an old post, but maybe it will help someone.   We have 4 SSIDs, one private, 3 for different types of guests.  One of these guest SSIDs was allowing the client to traverse into the network.  It was not able to do name lookup, but it could ping, and attach to other services.     In the Access Control section\Captive Portal Strength:  we had ours set to "Allow Non-HTTP Traffic prior to sign-on." We also run a Splash Page on this SSID, and we have our Firewall rule set to Deny LAN traffic.   What we discovered is that the Firewall rule does not kick in until the Splash Page is acknowledged.  If the client never opens their browser to Ack the splash page, they are unrestricted. If you set your Captive Portal Strength to: "Block..." everything works as you would expect, and the client is prevented from LAN access.   Here's a link describing exactly what's happening: Troubleshooting Users' Network Access with Splash Page Enabled   Personally, I don't believe that this is intuitive, and is not addressed well (at all?) in the Dashboard, and the results of this misconfiguration could be really bad.  This is a security hole and Cisco needs to either enforce "Block" or remedy this to prevent clients free access to everything until they are allowed.   What's even stranger.... one of our SSIDs was set the same way, and couldn't get to the private LAN.   So the problem isn't consistent, and that's frustrating.   Shout out to Support for linking me the above document. ... View more