Security

Reply
Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Acccess Restriction between different SSID's

Dear Friends,

 

Your kind help is required. We have deployed Aruba AP 92 with controller, We have 3 buildings, each building has configured with different VLAN, different IP subnets & different SSID, Now we want to restrict user of any building not to get connected in any other buildings..

i mean users of building A can only be connected in building A and can not be connect to WLAN when they in building B or C.

please advice what encryption/authentication can be use to restrict the users.

we want to implement MAC bases authentication with preshared key if possible

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Re: Acccess Restriction between different SSID's

What are you using for encryption?  WPA2-PEAP or WPA2-PSK?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Acccess Restriction between different SSID's

i can use any encryption method to fulfill this requirements.

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: Acccess Restriction between different SSID's

would just creating three SSIDs work for you? one in building 1 with key 1, one in building 2 with key 2 and one in building 3 with key 3.

 

of course this only works so long the keys are kept secret. a more elaborate solution with mean connecting the MAC addresses with the location in some way, not really a nice solution either.

 

 

Frequent Contributor I
Posts: 125
Registered: ‎07-06-2010

Re: Acccess Restriction between different SSID's

802.1x with AP groups is the nice way to do this...  Gives you good control, and visibiity within your wifi network (as you can more easily see who is actually accessing what) and from the sounds of it there are some security concerns.  PSK is really not the way to go if security is an issue.  Depending on the number of wireless devcices, should the key be leaked or a device stolen it is a real pain to re-key all the devices....

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Acccess Restriction between different SSID's

thanks danstl. I'm agree with you..PSK is not a solution.

Can you please eleborate how can we configure 802.1x with AP Group to restrict the access. I tried this but in vain..

 

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: Acccess Restriction between different SSID's

what radius solution are you using? i would start with just getting it to work and then focus on adding the location aspect.

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Acccess Restriction between different SSID's

we are using Mircosoft Windows Server 2008.

Mac based authentication can also with implemented.

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Frequent Contributor I
Posts: 125
Registered: ‎07-06-2010

Re: Acccess Restriction between different SSID's

You have 3 buildings all different SSIDs and you do not want roaming. 

You first need to goto your configuration and AP configuration and create a group for each building.

Create your SSIDs for each AP group with the appropriate authentication information (radius).

  • If you want to give more granular access per building (departments/users/groups) you can create specific "server groups" in the Security/Authentication/Server Goup.  And then you can pull the filter ID from your radius server based on AD group membership and apply a role based on just about anything.  Pay close attention to order as it is first come first serve....

Once you have your authentication scenarios down, thow a single testing AP into your selected groups for testing (this is done through the Configuration/AP Installation.  Here you can setup provisioning settings on a per AP basis, where you can change the AP group the device belongs.

 

This is a very "high level" explaination, but should get you started.  Obviously test in a small controlled environment before going live with such a major change.

 

-Dan

Search Airheads
Showing results for 
Search instead for 
Did you mean: