Wireless Access

Dear Friends,

Your kind help is required. We have deployed Aruba AP 92 with controller, We have 3 buildings, each building has configured with different VLAN, different IP subnets & different SSID, Now we want to restrict user of any building not to get connected in any other buildings..

i mean users of building A can only be connected in building A and can not be connect to WLAN when they in building B or C.

please advice what encryption/authentication can be use to restrict the users.

we want to implement MAC bases authentication with preshared key if possible

Thank you

If you are using preshared key, just have a different preshared key for each building....

no any other option other than this??? i mean 802.1x or MAC binding or any thing else to do the same.

the problem with preshared key is that  pre shared key can not be keep confidential.

Maybe there is a better way to approach what you are trying to accomplish.

What is the business use case?  What devices need to connect?

devices would be lapop and few mobile phones...

we are deploying this in an institute and administration wants that student of one hostel can connect to WLAN from their own campus. They can not connect to WLAN when they are in any other campus..

Do the students have their credentials in Active Directory or LDAP?  Otherwise access will be tied to devices instead of users.

both option can be applied but it would be preferable the 2nd option.. please explain the procedure if available

Maintaining mac addresses (moves adds and changes) can be a nightmare, so we do not advocate doing that ever.  If you want to do mac authentication on top of PSK, you need to create three different mac authentication profiles:

One with "dash" delimiter, one with "colon" delimiter and one with "none" as the delimiter.

Assign the mac authentication profile with "dash" to the first building, the one with "colon" to the second building and the one with "none" to the third building".  Enter mac addresses into the internal database that only need to connect to the first building with dashes, mac addresses that need to connect to the second building with colons, mac addresses that need to connect to the third building, with no delimiters.

If a user connects on building one, it will check the user's mac address with the format xx-xx-xx-xx-xx-xx, building two xx:xx:xx:xx:xx:xx and the third building xxxxxxxxxxxx.

The second method involves having a radius server like Clear Pass Policy Manager which can use the "Aruba-AP-Group" radius attribute that can be used along with the user's group membership to determine who is allowed to get on.  Microsoft IAS and NPS are not extensible enough to see or act on that attribute.

you are amazing cjoseph. its great. but unfortunately we have 12 hostels. anyway thanx for your reply. its really nice 

If you have 12 hostels, just change the username and password every day or every two days, like they would do at a hotel.

I cannot imagine doing it any other way.

hmm thank you