12-19-2011 07:11 AM
Just trying to wrap my head around a configuration and how to implement it. Here is what we want to do:
1 - Place all users connecting to "GUEST-ACCESS" into an isolated VLAN.
2 - Force users to a captive portal, with both guest and authenticated user logins enabled.
3 - Have "guest" users stay in this isolated VLAN with limited access to external sites (as defined by whitelist).
4 - Have "authenticated" users be dropped into an alternate VLAN with access to a broader scope of URL's (as enforced by proxy) and access to VPN/VDI infrastructure.
I have been able to define the the "GUEST-ACCESS" ssid and force users to the captive portal. I can configure the whitelist, and prevent guest users from accessing anything else. Unfortunately the objective I am hung up on is #4. I have defined the Role VLAN ID in each of the user roles (authenticated and un-authenticated) however this seems to make no difference. As part of the Virtual AP configuration I set the VLAN to the isolated one (to ensure the clients get DHCP addresses from the isolated VLAN).
Thoughts? Is this possible? Or I am completely out to lunch?
12-19-2011 10:07 AM
First off, from what I have heard, changing a user's VLAN after a CP login doesn't work very well. Most wireless clients wont notice the change, and subsequently they will not do another DHCP request. Therefore they will be stuck with an IP address from the CP default VLAN.
I do, however, have a couple suggestions. You could just use the roles to control what each user has access to, putting them all on the same VLAN. Otherwise, you will need to look into doing a separate SSID for non-guests. Then the question comes down to, do you really want to do CP for your authenticated users? CP should really only be used for guest access. I recommend looking into WPA2-AES with some 802.1x authentication via a RADIUS server.
12-19-2011 11:06 AM
Thanks for the reply!
To clarify, we only want to use CP to support the BYOD device model. We have a seperate SSID for our corporate environment that utilizies WPA2-AES with 802.1x for any wireless corporate domain-joined asset but we wanted to keep the personal devices as far away from this as possible and only pinhole specific access.
12-19-2011 11:32 AM
Using 6.1.x code you have the option of using the device fingerprinting option along with the user credentials to put the users on certain device types, like iOS and Android, into a different role. Also if you use Amigopod you can do iOS specific enrollment with and EAP-TLS certificate for , Know user on unknown iOS device, can be allowed to DL certificate onto their personal device and get onto an EAP_TLS network in a role defined by you with whatever privileges you decide.