Controllerless Networks

Reply
Occasional Contributor I

Easy Question: iAP Central secure multiple SSID config

Last time I worked with Aruba AP's was with a controller and I thoroughly enjoyed being able to plop an AP on the LAN and all the Wireless traffic would magically secure tunnel though the LAN to the controller and out to the Internet without ever having access to the LAN.  All the while, the AP was plugged into the very same switch that ordinary office PC's plugged into.  Oh, to boot, I never had to configure any VLAN's on any of the switches either.

 

So, with that concept in mind, I'm fully expecting the same ease of deployment with Instant AP's but it's not working for me, yet.

 

Using Cloud Central, I have configured a Guest Internet only network and added rules to deny private IP ranges 10.0.0.0, 172.16.0.0 and 192.168.0.0, but when connected to the Guest SSID, I'm still able to ping the LAN firewall at 192.168.1.1 as well as devices on the 192.168.1.0 network.  To my chagrin, I'm also able to ping devices in other private networks across VPN's to which the LAN firewall has access.

 

Here's a basic network map:

iAP-215

SSID Corp VLAN 1 (LAN access)

SSID Guest VLAN 103 (Internet access only (no private IP range access 10.0.0.0, 172.16.0.0, 192.168.0.0))

Managed Switch (currently no VLAN tagging enabled)

Firewall (VLAN 103) configured as Virtual Interface

Internet Router

 

Are my expectations or my configuration misaligned?

 

Thanks!

Occasional Contributor I

Re: Easy Question: iAP Central secure multiple SSID config

Blocking RFC1918 addresses on a particular SSID or role should not be a problem.

Is your Guest SSID PSK based or Captive Portal?

Note that with Captive Portal you are using at least two roles, one for pre authentication and one for post authentication.

Are you able to provide some config or screenshots?

ACMP, ACCA, CWNA

Re: Easy Question: iAP Central secure multiple SSID config

Can you please share the ACLs under the SSID ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: Easy Question: iAP Central secure multiple SSID config

Here's the Guest SSID config.  Very basic.

 

General, Basic Settings, Primary Usage: Guest

VLANs, Client IP Assignment: Network Assigned

Client VLAN Assignment: Static

VLAN ID: 103

 

General, Miscellaneous, Deny Inter Using Bridging: Enabled

(no need for WiFi clients to communicate with each other)

 

Security, Splash Page Type: None

Encryption, Key Management: WPA-2 Personal

 

Access Rules, Network Based

Deny any to network 10.0.0.0/255.0.0.0

Deny any to network 172.16.0.0/255.255.0.0

Deny any to network 192.168.0.0/255.255.255.0

Allow any to all destinations

 

DHCP, Local DHCP Scopes

DHCP WiFi Guest VLAN 103

Local

103

10.10.103.0

 

All other settings are default.

 

FYI, LAN to which AP-125 is connected is 192.168.1.0 /24

Occasional Contributor I

Re: Easy Question: iAP Central secure multiple SSID config

Hi nuit,

 

According to your config your network mask for the 192.168.0.0/16

and 172.16.0.0/12 subnets are wrong.

 

Should be: 

rule 10.0.0.0 255.0.0.0 match any any any deny

rule 172.16.0.0 255.240.0.0 match any any any deny
rule 192.168.0.0 255.255.0.0 match any any any deny

Regards

ACMP, ACCA, CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: