Controllerless Networks

Reply
Occasional Contributor I

Guest client isolation

Hello,

 

I'm a bit stumped regarding the client isolation in Aruba Instant wireless network.

Basically to follow government relations for public WIFI and for obvious security reasons I need to make all the clients connecting to the same SSID invisible to each other.

I have enabled Deny Inter User Bridging and Routing options under System and in SSID settings, and ARP broadcast filtering but I'm still unable to stop clients browsing the same subnet and seeing every other ip connected.

 

What I'm missing? On other vendors there's usually a simple option like "AP Isolation" or similar that would stop clients on the same SSID seeing each other.

 

Do I also need to create an Access Control Rule to disable all the traffic to same subnet (except gateway IP)? Seems like a crude option.

Guru Elite

Re: Guest client isolation

What tools are you using to discover other clients?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Guest client isolation

Hello,

 

For example I'm still able to do a ping sweep in the subnet and discover all the IP-s and mac addresses and identify devices from the latter. I'm sure I'm missing something elementary setting on the Instant OS.

 

best regards

Guru Elite

Re: Guest client isolation

Deny inter user bridging only works to block traffic between users on your Instant Cluster.  You would still be able to discover clients on the same subnet if they are wired or they were in another cluster.  You would need an ACL to block traffic to/from the same subnet for clients that are not users in your instant cluster.

 

If you specifically want to block arps, it is all or nothing (all ARPs including for the default gateway will be blocked).  You can use the ACL example below:

Screenshot 2017-08-27 at 02.06.39.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Guest client isolation

As there should be no communication between the clients in the guest subnet I guess I can block everything except traffic to the gateway IP.

 

Would this kind of rule be ok? Or would it be better to make two rules: allow all to gateway IP followed by a block all rule to subnet?

 

Guru Elite

Re: Guest client isolation

You can block all traffic to the subnet.  Nothing from an ip perspective is actually sent with a destination of the default gateway.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Guest client isolation

Unfortunately I'm still not able to get it working properly.

 

Blocking all ARP will indeed accomplish the desired effect and other clients are no longer discovered. But this also completely kills off any connectivity to any other places.

 

Blocking all traffic to the subnet will also kill off any connectivity as the clients wont be able to get IP from the gateway which also serves DHCP and Captive Portal. Allowing traffic only to gateway IP on the other hand also makes all the other clients discoverable on the subnet.

 

I'm out of ideas :(

Aruba Employee

Re: Guest client isolation

I guess, you have created the rule from above. If you block anything, you also block dhcp/dns. You have to create a rule, which allows at least DHCP/DNS to let you clients be able to get an IP and lookup dns names. 

visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Occasional Contributor I

Re: Guest client isolation

It seems that the only solution would be to drop all arp packets except to default gateway, which currently can't be done.

 

This does generate trouble for us as the government auditors are not happy when other devices are seen on public vlan, even when there's no other traffic allowed between them.

 

Maybe this option could be added in a future firmware.

Guru Elite

Re: Guest client isolation

Is this wlan encrypted?  If it is a public WLAN and it is unencrypted, it is pretty easy to see any traffic going anywhere in the air.  Clients can contact each other directly and user isolation will not help.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: