Security

Dear Friends,

Your kind help is required. We have deployed Aruba AP 92 with controller, We have 3 buildings, each building has configured with different VLAN, different IP subnets & different SSID, Now we want to restrict user of any building not to get connected in any other buildings..

i mean users of building A can only be connected in building A and can not be connect to WLAN when they in building B or C.

please advice what encryption/authentication can be use to restrict the users.

we want to implement MAC bases authentication with preshared key if possible

What are you using for encryption?  WPA2-PEAP or WPA2-PSK?

i can use any encryption method to fulfill this requirements.

would just creating three SSIDs work for you? one in building 1 with key 1, one in building 2 with key 2 and one in building 3 with key 3.

of course this only works so long the keys are kept secret. a more elaborate solution with mean connecting the MAC addresses with the location in some way, not really a nice solution either.

802.1x with AP groups is the nice way to do this...  Gives you good control, and visibiity within your wifi network (as you can more easily see who is actually accessing what) and from the sounds of it there are some security concerns.  PSK is really not the way to go if security is an issue.  Depending on the number of wireless devcices, should the key be leaked or a device stolen it is a real pain to re-key all the devices....

thanks danstl. I'm agree with you..PSK is not a solution.

Can you please eleborate how can we configure 802.1x with AP Group to restrict the access. I tried this but in vain..

what radius solution are you using? i would start with just getting it to work and then focus on adding the location aspect.

we are using Mircosoft Windows Server 2008.

Mac based authentication can also with implemented.

You have 3 buildings all different SSIDs and you do not want roaming. 

You first need to goto your configuration and AP configuration and create a group for each building.

Create your SSIDs for each AP group with the appropriate authentication information (radius).

• If you want to give more granular access per building (departments/users/groups) you can create specific "server groups" in the Security/Authentication/Server Goup.  And then you can pull the filter ID from your radius server based on AD group membership and apply a role based on just about anything.  Pay close attention to order as it is first come first serve....

Once you have your authentication scenarios down, thow a single testing AP into your selected groups for testing (this is done through the Configuration/AP Installation.  Here you can setup provisioning settings on a per AP basis, where you can change the AP group the device belongs.

This is a very "high level" explaination, but should get you started.  Obviously test in a small controlled environment before going live with such a major change.

-Dan