Security, WIDS/WIPS and Aruba ECS

Reply
Contributor I
Posts: 34
Registered: ‎04-27-2009

Segragate users on separate SSIDs using the Internal DB

I think this is the right forum to post this. Short issue is that I want two separate SSIDs, both using Captive Portal with users in the Internal DB. I want it so that users on SSID1 can only log on to SSID1, and SSID2 users are restricted to SSID2.

Here's a bit more explanation. Our current setup has an Enterprise network using RADIUS for authentication. There is a guest network using Captive Portal and the Internal DB (we provision guest users ad-hoc)

We also have some conference centers. When a big group of guests come in for a few days in one of these rooms it is not efficient to provision 30-40 individual accounts for this. Instead we'd like to have one account we can put up on the board for these guests to use. However! We don't want these users to be able to get onto the regular Guest network.

Our Guest network covers the whole campus (20 buildings). I am creating a new SSID just for conference rooms that will only be available in those rooms.

Basically I want it so that GuestA can logon to the guest network anywhere, on the existing SSID, but cannot log onto the Conference SSID. Then I want Conf_GuestB to be able to logon to the Conference Rooms SSID, but not the existing Guest network.

Is this possible when using the Internal DB for both? I'm afraid that even with two AAA profiles, if they both point to the Internal DB, any user in the DB will be authenticated.

Thanks!
Guru Elite
Posts: 20,559
Registered: ‎03-29-2007

Re: Segragate users on separate SSIDs using the Internal DB

You are right. You cannot separate them.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: Segragate users on separate SSIDs using the Internal DB

I think I may be able to set up separate server groups that both point to the Internal DB. Then, on the conference SSID, I can set the default 802.1x role to guest-logon (preventing access - authenticated users would just be brought to the login page). Then In the server-group I could have a derivation rule that says if username = "conference" then set role to guest.

What attributes can you look at in the Internal DB for rule derivation? I tried User-Name, but that does not seem to be working. Can you use derivation rules with the Internal DB?
Aruba Employee
Posts: 99
Registered: ‎09-08-2010

Re: Segragate users on separate SSIDs using the Internal DB

Why not simply define two roles that accomplish the same functionality ... a guest role that only provides restricted guest access to users, and an employee role that allows greater access. This way you can authenticate against the internal database, and users inherit the appropriate role. You wouldn't need two SSIDs to enable this, unless you wanted one SSID to be open/web auth, and the other to be WPA2/802.1x authenticated.
Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: Segragate users on separate SSIDs using the Internal DB




Thanks for the reply. It's not so much the role though that's the issue. In fact, I don't have a problem with the Conference users having the same role as guest users. It's more about where the Conference SSID is available. I want the Conference SSID to only be advertised by APs located within Conference rooms. That part's easy. I just created a Cenference SSID profile, vap and AP group. The hard part, is making it so that the 'conference user' can only logon to the Conference SSID (and not able to logon to the guest SSID).

Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: Segragate users on separate SSIDs using the Internal DB

What would be nice, and would solve this problem perfectly, is if Aruba supported multiple Internal DBs. Then I could just have a Guest Internal DB and a Conference Internal DB. Problem solved!!!

But until that happens, I'm still trying to maybe work it out with role derivation. I just don't know if role derivation works with the Internal DB.
Guru Elite
Posts: 20,559
Registered: ‎03-29-2007

Re: Segragate users on separate SSIDs using the Internal DB

Make the conference room SSID a WPA2 preshared key network. Put that on the conference room whiteboard.. Done!


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: Segragate users on separate SSIDs using the Internal DB

You know what?! At this point I think that's a perfect solution. Thanks!
Search Airheads
Showing results for 
Search instead for 
Did you mean: