09-21-2013 06:36 AM
This is my first time to setup both Aruba and Instant :)
Need some help with authentication.
I have a 2 IAP-93 running Instant 126.96.36.199-188.8.131.52_39086.
I need to split VIP users and employers:
VIPs must have unrestricted access.
Employers must have blocked URLs required (youtube, facebook, etc)
All users must see single SSID on their devices.
It must be no any portals or splash pages for all users - just find the appropriate SSID and enter password .
I found some info on community, but still have questions.
If I create a guest SSID with internal auth server with MAC based auth, how do I avoid auth portal? How do I create different roles and rules for authenticated by MAC VIP users and not complaint to VIP MACs users? According to blocking urls for not VIPs.?
Thanks a lot!
I have time until monday to solve it:(
Solved! Go to Solution.
09-21-2013 09:03 AM
Authentication via MAC address is not very secure, since MAC address can easily be spoofed. Add to that, MAC auth uses the MAC for both the username and password, so there's really no good way to secure it that way.
For employees (VIP and regular), you could leverage user based security and still leverage the internal auth server built into Instant if needed. Optionally, you can instead use Active Directory or some external RADIUS server to authenticate employees, if you already have a directory server somewhere.
For guests, usually the open SSID with captive portal (whether or not you challenge for password or username) is the easiest, as you don't require any special configuration on the guest's computer to connect. MAC auth is not ideal here, because the guest would have to provide you with their MAC address so that you can manually add them into the authentication server, and it still doesn't stop the bad guy from spoofing a valid guest MAC. I've seen some guest networks use a Pre-Shared Key just for the Guest SSID (so using two SSIDs; one for guest and one for employees) and rotate that PSK at some interval if they wanted to secure the guest network without captive portal.
Does that help spark some ideas? Post any questions and we can get into more detail.
09-21-2013 11:02 AM - edited 09-21-2013 11:06 AM
cclemmer, thx a lot!
Sorry,i didn't write about that in previous post...I use wpa2-psk
The client who wants this wifi project wants only a single SSID and single password for wifi- doesnt want 2 SSIDs and doesn't want any login/passwords to enter every time he opens his laptop... Thus i need to solve, how to split his employers and VIPs without of all this...
I found a mac-address attribute in the rules for assigning roles, but the user guide says:
"IAP uses the OUI part of a MAC
address to identify the device manufacturer and assigns a desired role for users who have completed 802.1X
authentication and MAC authentication. "
What if i use the role deriviation by mac-address attribute, and VIP has xx:xx:xx:xx:12:34:56:78 and non-VIP has xx:xx:xx:xx:12:34:56:79? The result will be the same role for both of them?
Is it possible to enable wpa2-ent, 802.1x with 2 types of certificates - one for VIP and another for non-VIP users? Is it possible to assign roles by this certs?
Finally, is it possibleto enable keyword URL blocking for different roles? I found only default types of access control rules - the only suitable way is IP blocking . Thus if i need to block youtube, i need to do nslookup youtube.com and add every ip as blocked? The result will be dubious.
09-21-2013 02:08 PM
Just throwing a couple of things out there though they do not meet your needs..
We do have a partnership with OpenDNS for content filtering for the IAP; however, filtering is enabled on a per SSID basis. As such, with your requirement of a single SSID, unfortunately, this is not a workable solution.
We can do vlan derivation based on Radius attribute; however, that would require 802.1x auth rather than a PSK. If you could go this route the two different classes of users could get dumped into separate vlans then you would police the traffic upstream. The same could be done with MAC auth on the Radius server and have the server return a "filter-ID" and you can key off the filter-ID to assign a role which ties the user to different firewall policies..........which as you noted may not meet your needs.