Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Easy Question: iAP Central secure multiple SSID config

This thread has been viewed 2 times

  • 1.  Easy Question: iAP Central secure multiple SSID config

    Posted Oct 31, 2016 12:19 AM

    Last time I worked with Aruba AP's was with a controller and I thoroughly enjoyed being able to plop an AP on the LAN and all the Wireless traffic would magically secure tunnel though the LAN to the controller and out to the Internet without ever having access to the LAN.  All the while, the AP was plugged into the very same switch that ordinary office PC's plugged into.  Oh, to boot, I never had to configure any VLAN's on any of the switches either.

     

    So, with that concept in mind, I'm fully expecting the same ease of deployment with Instant AP's but it's not working for me, yet.

     

    Using Cloud Central, I have configured a Guest Internet only network and added rules to deny private IP ranges 10.0.0.0, 172.16.0.0 and 192.168.0.0, but when connected to the Guest SSID, I'm still able to ping the LAN firewall at 192.168.1.1 as well as devices on the 192.168.1.0 network.  To my chagrin, I'm also able to ping devices in other private networks across VPN's to which the LAN firewall has access.

     

    Here's a basic network map:

    iAP-215

    SSID Corp VLAN 1 (LAN access)

    SSID Guest VLAN 103 (Internet access only (no private IP range access 10.0.0.0, 172.16.0.0, 192.168.0.0))

    Managed Switch (currently no VLAN tagging enabled)

    Firewall (VLAN 103) configured as Virtual Interface

    Internet Router

     

    Are my expectations or my configuration misaligned?

     

    Thanks!



  • 2.  RE: Easy Question: iAP Central secure multiple SSID config

    Posted Oct 31, 2016 05:08 AM

    Blocking RFC1918 addresses on a particular SSID or role should not be a problem.

    Is your Guest SSID PSK based or Captive Portal?

    Note that with Captive Portal you are using at least two roles, one for pre authentication and one for post authentication.

    Are you able to provide some config or screenshots?



  • 3.  RE: Easy Question: iAP Central secure multiple SSID config

    Posted Oct 31, 2016 06:28 AM
    Can you please share the ACLs under the SSID ?


  • 4.  RE: Easy Question: iAP Central secure multiple SSID config

    Posted Nov 02, 2016 06:33 PM

    Here's the Guest SSID config.  Very basic.

     

    General, Basic Settings, Primary Usage: Guest

    VLANs, Client IP Assignment: Network Assigned

    Client VLAN Assignment: Static

    VLAN ID: 103

     

    General, Miscellaneous, Deny Inter Using Bridging: Enabled

    (no need for WiFi clients to communicate with each other)

     

    Security, Splash Page Type: None

    Encryption, Key Management: WPA-2 Personal

     

    Access Rules, Network Based

    Deny any to network 10.0.0.0/255.0.0.0

    Deny any to network 172.16.0.0/255.255.0.0

    Deny any to network 192.168.0.0/255.255.255.0

    Allow any to all destinations

     

    DHCP, Local DHCP Scopes

    DHCP WiFi Guest VLAN 103

    Local

    103

    10.10.103.0

     

    All other settings are default.

     

    FYI, LAN to which AP-125 is connected is 192.168.1.0 /24



  • 5.  RE: Easy Question: iAP Central secure multiple SSID config
    Best Answer

    Posted Nov 03, 2016 05:10 AM

    Hi nuit,

     

    According to your config your network mask for the 192.168.0.0/16

    and 172.16.0.0/12 subnets are wrong.

     

    Should be: 

    rule 10.0.0.0 255.0.0.0 match any any any deny

    rule 172.16.0.0 255.240.0.0 match any any any deny
    rule 192.168.0.0 255.255.0.0 match any any any deny

    Regards