09-08-2017 04:28 PM
Hopefully a quick question,
Would there be security implications if I were to have a Public Guest SSID that is assigned, say VLAN 10, then have our corporate SSID (AD machine auth with WPA2/EAP-TLS/PEAP) with that same VLAN (10) as the default but then assign the corporate VLANs to the coporate machines through ClearPass based on the Active Directory OU of the machine? My thought is that if I setup my Enforcement profile in CPPM to look at the OU and assign a VLAN, but have the Public VLAN be the last entry incase the computer is in AD, but not in an OU that has a VLAN assigned, then it would assign the Public VLAN and public role on the AP to prevent access to the corporate network. I'm thinking it'd be the same as having our public VLAN traffic flow through the same physical network as our corporate network, which we already do. Any thoughts or best practice suggestions?
Solved! Go to Solution.
09-09-2017 02:11 AM
An issue I can think of is that essentially the Public and and Corp devices may end up within the same VLAN? You could enable deny inter user traffic but the preferred option would be to have segregated VLAN's. Questions are also raised with DHCP and DNS, the Corp users on a Guest VLAN may need to access Corporate DNS/DHCP servers which maybe off limits? Is this a controller or controller-less solution?
If this is a physical controller you could have a direct connection from the WLAN controller to the firewall so the Guest VLAN exists only between the WLAN controller and the firewall.
ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)