Security

Hello community,

in an IAP installation, I can create a guest network using the internal server to create user accounts.

The problem is that the vouchers cannot be restricted in terms of time.

Although there is a large installation across many sites of IAP clusters managed by AirManager, only the head quarter needs to have the ability to create guest vouchers (like 10 a day, so CLearPass would be too oversized).

I know that a mobility controller has the functionality of restricting the accesses in terms of time.

I was thinking of two solutions:

- Could the IAP cluster in a headquarter be connected to a controller (VPN would not be needed but maybe GRE) just for the task of creating vouchers? (VPN tab in UI)

- Could the mobility controller serve as external database for guests of an IAP network? ("Configuring External Captive Portal Authentication when Adding a Guest Network" is the point in the user guide)

BR

rolfo333

yes.  See my port/tutorial here.

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Tutorial-Guest-only-solution-using-IAP-GRE-tunnel-with/m-p/147880

:smileyhappy:

Hi Michael,

you have tested on a guest only network.

What is if the IAP cluster is not guest only?

I have seen in your description that the actual guest network is configured with employee profile on the IAP.

Does this affect any other employee SSIDs which do actually not need to have anything to do with the controller at all?

BR

rolfo333

The intention of that design was for guest only.  You can also do dot1x as well though.

If the controller is on the same site as the IAPs that's probably not a problem.