08-04-2016 08:41 AM
I've been referring to some very useful posts in this forum whilst re-working our Wi-Fi setup on our current setup (Aruba6000 controller) and just wanted to sanity check some config details if possible...
The aims of the changes are:
- Provide a BYOD network for users
- NAT all traffic so mobile apps etc. work correctly
- Isolate clients from each other and the rest of the network
- Authenticate using RADIUS to avoid requiring Captive Portal auth i.e. device remembers credentials after first login
I'm using a Windows Server 2012 R2 NPS server to perform the RADIUS authentication and have the appropriate AAA profile set up.
I've then also set up a user role for this BYOD network which is assigned as the default role for the 802.1X section of the AAA profile (may do filtering later on but keeping it simple for now)
In the 802.1X Authentication Profile do the entries for Machine Authentication make any difference? I'm guessing not as that seems to be related to wired auth but wanted to check.
The Role has one Policy applied to it with the following rules. The first rule about udp68 came from Aruba so thought best to replicate it
- user > any - udp68 - deny
- any > any - svc-dhcp - permit
- user > host *default gateway* - any - permit
- any > private network ranges - any - deny
- any > any - any - permit
I know there's also the option to isolate inter-client traffic at VAP level but that also seems to block the gateway so use the Rules to achieve the same effect instead as per some advice on other threads.
I'd then use the firewall to control egress traffic at app level, although I guess I could do it at Aruba level and save some additional traffic going through in the first place.
Any advice would be much appreciated.