Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎08-16-2011

Guest vouchering from controller in an IAP environment

Hello community,

 

in an IAP installation, I can create a guest network using the internal server to create user accounts.

The problem is that the vouchers cannot be restricted in terms of time.

 

Although there is a large installation across many sites of IAP clusters managed by AirManager, only the head quarter needs to have the ability to create guest vouchers (like 10 a day, so CLearPass would be too oversized).

 

I know that a mobility controller has the functionality of restricting the accesses in terms of time.

 

I was thinking of two solutions:

- Could the IAP cluster in a headquarter be connected to a controller (VPN would not be needed but maybe GRE) just for the task of creating vouchers? (VPN tab in UI)

- Could the mobility controller serve as external database for guests of an IAP network? ("Configuring External Captive Portal Authentication when Adding a Guest Network" is the point in the user guide)

 

BR

rolfo333

Aruba
Posts: 1,284
Registered: ‎08-29-2007

Re: Guest vouchering from controller in an IAP environment

yes.  See my port/tutorial here.

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Tutorial-Guest-only-solution-using-IAP-GRE-tunnel-with/m-p/147880

 

:smileyhappy:


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Occasional Contributor II
Posts: 19
Registered: ‎08-16-2011

Re: Guest vouchering from controller in an IAP environment

Hi Michael,

 

you have tested on a guest only network.

What is if the IAP cluster is not guest only?

 

I have seen in your description that the actual guest network is configured with employee profile on the IAP.

Does this affect any other employee SSIDs which do actually not need to have anything to do with the controller at all?

 

BR

rolfo333

Aruba
Posts: 1,284
Registered: ‎08-29-2007

Re: Guest vouchering from controller in an IAP environment

The intention of that design was for guest only.  You can also do dot1x as well though.

 

If the controller is on the same site as the IAPs that's probably not a problem.

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: