Security

HI

 

I have two SSIDs one is "Client" the other is "Guest"

 

Both SSIDs are on different vlans and have different firewall rules applied.

They both use captive portal and the built in Aruba user database.

 

The problem that arises is if I create a new user they can log into both SSIDs.

 

Is there a way or is this a limitation?

 

Thanks

If you are using the internal database for users, you cannot control what users in the internal database can connect to what SSID.  You would have to use a separate internal database for that separation.

How do you create a separate internal database for users and specify which SSID uses what Database?

You cannot do that.  You can only have a single internal database.  It is really only meant for guests.  Your corporate users, what do they use to login to their computers?

Our Staff use RADIUS for authentication Vlan 1 but we have two types of guests. Be have business guests that need access to VPNs, Email Web etc, but no access to cooperate network so I put them on Vlan 2 somestimes its a one off. Then we have clients/patients with very restricted web access and they are on Vlan 3. also Isolated

 

how would this best be acomplished?

---

@Labellep25 wrote:

Our Staff use RADIUS for authentication Vlan 1 but we have two types of guests. Be have business guests that need access to VPNs, Email Web etc, but no access to cooperate network so I put them on Vlan 2 somestimes its a one off. Then we have clients/patients with very restricted web access and they are on Vlan 3. also Isolated

 

how would this best be acomplished?

---

Okay.  You can create users in the local database that have two different roles:  One will be for business guests and the other will e for clients/patients...  When they authenticate at the Captive Portal, they will get their assigned role, based on who they are.  Their roles will have to firewall restrictions that you mention above.

 

One thing you could try is to use the GuestUser:source option in your Enforcement policy

 

GuestUser:source EQUALS <name of the registration page>
or
GuestUser:source NOT_EQUALS <name of registration page>

This value gets create based on the Guest Self-Registration page your user registers against.

 

This might be one method to separate users stored in the Internal database. It's been a while since I tried this though so I am not sure if this is still valid.

 

 

Cheers

Bourne,

 

I don't think he has ClearPass at this time...

Well then ignore all that I said!

I'm an idiot :smileyindifferent:

 

Cheers

Hey that's usually my line..... :)

I'm assuming ClearPass in another licence?  I'm running a 3200 controller with a branch office 651, 7 RAP5 and 4 RAP2

Clearpass is a different appliance or VM for Guest access, OnBoarding, NAC, Radius, and TACACS+ its not built into the controller.

 

http://www.arubanetworks.com/products/clearpass/?click=footer

I'll Kudos that cjoseph!

 

Highly recommended to check out ClearPass if you can. It is a great product and will compliment your setup I am sure!

 

Cheers

Haha.... Hopefully you don't mind sharing.... I've already had my fair share of idiot moments.. :D

Bourne,

It is not IF you have those moments, but when.

You know what they call people who have those moment earlier than anyone else? Experts :)