Security

Reply
Occasional Contributor I

Different VLANs&Groups on internal DB

Hi Everybody, 

I've got a couple of 7210 controllers and a bulk of IAP103 + AirWave 8.x.

What does my customer want:

- SSID1. For guest and service stuff. MAC + PSK authorization at internal DB. No access to internal resources and some badwith limits.  

- SSID2. For employers. MAC  + PSK authorization at internal DB. Without bandwith limits but with content filtering.

- SSID3. For management. MAC + PSK authorization at internal DB. No limits&filtering 

1. Users should not be able to connect to "wrong" SSID, e.g. guest from SSID1 should not be able to connect to SSID3. 

2. "Wrong" users (without registered MACs) should not be able to get in even having PSK

3. All traffic shaping and content filtering tasks will be performed on Cisco ASA+FireSight.   

4. I have no outside RADIUS/TACACS/LDAP/AD server and PEFNG license:(

 

 

Is there any solution to do like that? 

My idea is to use different MAC authentification profiles with different delimiters. Thus, I will (I hope:)) have 3 virtually "different" MAC bases in internal DB and will be able to set up different User Derivation Rules based on MAC for different SSIDs.  

I'd like to know will it work?

Is there some "stright" and documented way or any good ideas to try?

 

Thank a lot in advance!

 

BR

Alex 

 

 

 

Guru Elite

Re: Different VLANs

This will work but will not scale well. You'll have to sync the internal database via AirWave and you run the risk of maxing out the internal database. 

A available solution would be ClearPass and PEFNG. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Different VLANs&Groups on internal DB

I would look into using 802.1x (NPS if they can't afford clear pass) and has role derivation to get them in the right VLANs and institute filtering to the proper users. Then you can cut the management overhead of one SSID out of the mix. Most people try to keep it down to 2 SSIDs when possibly and I always strongly urge my customers and explain the implications of more SSIDs and the performance hits they incur with each additional one.
ACDX #419 | ACMP |
Occasional Contributor I

Re: Different VLANs

Thank you for your help and fast reply!

What is the maximum capacity of Internal DB? I will have up to 1000 users. Will it be enough to work as temporary solution (untill PEFNG and RADIUS will be installed)?

 

BR

Alex

Guru Elite

Re: Different VLANs

8,192 entries


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: