Controllerless Networks

Hey everyone, I got a question from a client I can't anser by myself. I found similar posts, but they don't help me in this case, sadly.

We have 205 APs there and use Radius Authentication, we have to SSIDs there, one is Internet-only, one is Internal-and-Internet (not the real names). The access is controlled via User Groups in AD.

He wants to have one SSID only, and the AP should determine wether it's a Client who is allowed to go to Internet-only, or Internal-and-Internet, by checking if the client has a certificate installed.

This way all mobile clients with a AD user would drop to, lets say VLAN 100, because they have no certificate installed, and all Notebooks (with certificate and user) would go to VLAN 200.

My biggest and first question: Is this possible with Instant-APs at all?

Also, this is a side Questions: My APs suddenly drop the config from time to time. Not everything, just certain thing (Radius IP is not the new radius, but the one I had previously, Guest SSID was hidden and disabled, suddenly it is propagated again and working) This stuff is weird.


Thanks in advance guys!

Hey Cappalli! Thanks for the quick reply. Sadly we don't have clearpass (no one in Europe wants to buy it, we have horrible Deals from HP). Is there a way to do it with the instant solution?

The IAP cannot see into the details on the certificate, so it cannot take action on it.  A capable policy engine would be able to, however.  What are you trying to do?

So it's most likely a thing to configure on the radius then?

I want to have an AP and one SSID called WIFI or whatever.
The client comes with their notebook, he's an employee so he has a domain login. -> logs connects to the SSID -> user password promt for domain authentication -> ok -> does he have a certificate? -> yes = vlan X, else VLAN Y

Tthe Client comes with their phone, he's an employee, same procedure. It should separate private devices from business devices.

How would you go about this?

Can't you use separate SSID's for corporate devices and guest devices? 802.1x for corporate with machine authentication and guest/psk for their personal devices. 

I wouldn't recommend using your corporate credentials on wireless network without checking certificate. 

Thanks a lot for your input. Right now it is like you mentioned it, except that both SSIDs use RADIUS Authentication, (one is for internet only, one is for internet and lan, regulated by group policies in AD).
I'd leave it like that, but the client wants it with only one SSID (it would be confusing for the clients, he said).

But since I'm very inexperienced with Aruba AND Radius, I guess I'll leave it like that and tell him there is no easy fix, besides that not even he knows how to configure radius properly.

---

@perskes wrote:

Hey Cappalli! Thanks for the quick reply. Sadly we don't have clearpass (no one in Europe wants to buy it, we have horrible Deals from HP). Is there a way to do it with the instant solution?

---

"No one" seems quite the bold claim. We don't seem to have that problem ;)

Sorry, I meant to say the german-austria-swiss region, but I tend to exagerate.

So, how many clients do you have that clearpass makes sense to you? We would not get great prices <5000 Users and frankly, that's not the size of clients we have on a say to day base.

No problem. I don't know about the pricings we get since I'm only installing and configuring them. But we have clearpass installations way under 5000 employees. We moslty use the VA 500 (mostly in cluster) and for bigger installations the 5K (always in cluster). I don't recall having installed a 25K so far. We've had clients just buying it for the guest self-registration and sponsored access.