Wireless Access

Reply
Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Firewall/Mobility Restriction

Dear Friends,

 

Your kind help is required. We have deployed Aruba AP 92 with controller, We have 3 buildings, each building has configured with different VLAN, different IP subnets & different SSID, Now we want to restrict user of any building not to get connected in any other buildings..

i mean users of building A can only be connected in building A and can not be connect to WLAN when they in building B or C.

please advice what encryption/authentication can be use to restrict the users.

we want to implement MAC bases authentication with preshared key if possible

 

Thank you

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: Firewall/Mobility Restriction

If you are using preshared key, just have a different preshared key for each building....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Firewall/Mobility Restriction

no any other option other than this??? i mean 802.1x or MAC binding or any thing else to do the same.

 

the problem with preshared key is that  pre shared key can not be keep confidential.

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: Firewall/Mobility Restriction

Maybe there is a better way to approach what you are trying to accomplish.

 

What is the business use case?  What devices need to connect?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Firewall/Mobility Restriction

devices would be lapop and few mobile phones...

 

we are deploying this in an institute and administration wants that student of one hostel can connect to WLAN from their own campus. They can not connect to WLAN when they are in any other campus..

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: Firewall/Mobility Restriction

Do the students have their credentials in Active Directory or LDAP?  Otherwise access will be tied to devices instead of users.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Firewall/Mobility Restriction

both option can be applied but it would be preferable the 2nd option.. please explain the procedure if available

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: Firewall/Mobility Restriction

Maintaining mac addresses (moves adds and changes) can be a nightmare, so we do not advocate doing that ever.  If you want to do mac authentication on top of PSK, you need to create three different mac authentication profiles:

 

One with "dash" delimiter, one with "colon" delimiter and one with "none" as the delimiter.

 

Assign the mac authentication profile with "dash" to the first building, the one with "colon" to the second building and the one with "none" to the third building".  Enter mac addresses into the internal database that only need to connect to the first building with dashes, mac addresses that need to connect to the second building with colons, mac addresses that need to connect to the third building, with no delimiters.

 

If a user connects on building one, it will check the user's mac address with the format xx-xx-xx-xx-xx-xx, building two xx:xx:xx:xx:xx:xx and the third building xxxxxxxxxxxx.

 

The second method involves having a radius server like Clear Pass Policy Manager which can use the "Aruba-AP-Group" radius attribute that can be used along with the user's group membership to determine who is allowed to get on.  Microsoft IAS and NPS are not extensible enough to see or act on that attribute.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Firewall/Mobility Restriction

you are amazing cjoseph. its great. but unfortunately we have 12 hostels. anyway thanx for your reply. its really nice 

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: Firewall/Mobility Restriction

If you have 12 hostels, just change the username and password every day or every two days, like they would do at a hotel.

 

I cannot imagine doing it any other way.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: