Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎01-31-2017

Aruba i-225 multiple user authentication on different SSID

[ Edited ]

Hi,

 

Currently I run two SSIDs, let's call them 'corporate' and 'visitor'. Visitor is authenticated via WPA2, while for 'corporate' users we use WPA2-Enterprise with internal server. This is the built-in internal database with each user having an individual account. It works great in terms of leavers etc., but recently I have been presented with a new business requirement where a new third SSID 'corporate2' will have to be created. As such traffic between 'corporate1' and 'corporate2' shall be separated. This can be achieved by mixture of VLANs and Firewall rules. My only concern is that, the internal server does not distinct between each Wi-Fi users, therefore login credetials will work for both networks. Is there any clever way to assign users per SSID? 

 

Many thanks for your reply,

Pipboy-2000

MVP
Posts: 978
Registered: ‎04-13-2009

Re: Aruba i-225 multiple user authentication on different SSID

Hi,

Unfortunately there are only options for either employee or guest user types in the internal database on Instants. You would need to use a different authentication source to provide the functionality you want.

Do you have active directory? You could utilise NPS on Active Directory to authenticate users. Just a thought...
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor
Posts: 4
Registered: ‎01-31-2017

Re: Aruba i-225 multiple user authentication on different SSID

Hi James,

 

That's certainly a bummer, especially because we do not have the AD. The AP can handle multiple SSIDs, but WPA2-Enterprise authentication works for all or none. That's not very good for shared office environments etc. However, after a lot of fiddling around, I believe I found a way around the problem. It's not the best possible solution, but I believe it works. Here is what I have done.

1. Users can be identified by the user name created in the internal server, for example 'AAA James', 'ZZZ John' where AAA and ZZZ are the company names.

2. Changed the access level to 'Role-Based' for the network where only ZZZ employees should have access to.

3. Created a new role called 'ZZZ STAFF' and set access rule to 'Deny access to all destinations'

4. Now here is the best part: under role assigment rules I've created a new custom rule where when 'user-name' contains ZZZ' assign rule 'ZZZ Staff' (default rule is still active).

 

Now all ZZZ users, who connect to AAA network, will get authenticated cause there is no way around it, but because of the user name containing 'ZZZ' a rule blocking access to all network services will be applied to them, blocking them from accessing any network resource.

 

Vault-_-Boy_.png

 

 

 

MVP
Posts: 978
Registered: ‎04-13-2009

Re: Aruba i-225 multiple user authentication on different SSID

Good thinking!

 

You could go one step further to reduce the number of SSIDs (which is always a good thing) by having one corporate SSID and work out which user is from which company by using your method then set the VLAN to be the correct one (like they do in this video).

 

vault.jpg

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor
Posts: 4
Registered: ‎01-31-2017

Re: Aruba i-225 multiple user authentication on different SSID

I'm not sure if that will work in my scenario, since the comapny is being split into two, so traffic must be separated. I'm using 192.x range for one SSID while 10.x for the other. Traffic is already VLAN tagged depending on which Wi-Fi you're connected to. From there eveyrthing is taken care of via VLANs / Firewall rules. It was only the first step I could not easily separate. As they say where's a will there's a way.

 

Greeting to fellow Fallout fan.

SwiftLearnerFNV.png

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: