Wireless Access

Reply
Contributor I
Posts: 29
Registered: ‎06-04-2012

Guest Access IP address depletion

Hello All

 

I have a Corporate customer who is moving to a new building and below the building there is a University with 1000s of students. Customer is worried that with open guest ssid, the ip address will be depleted fast as the students will try to access the guest ssid.

I dont see any way of getting around this apart from increasing the scope of dhcp ip address range or pointing the RF away from Student area etc.

From what i understand as soon as someone or a student associates with Guest SSID they will get an ipaddress. How can we avoid students associating to Guest SSID? if this cannot be avoided, is there any other way for Guest SSID in this situation?

Customer is open to clearpass as an option. This will be a controller based solution. Would also be interested to know with Instant version as well.

 

Thanks

Mahathma

 

Thanks

Mahathma

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Guest Access IP address depletion

Nothing will prevent users from associating other than a PSK.

Your best bet is to use a very large private IP space that is NAT'd and has short DHCP leases.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: Guest Access IP address depletion

You can have a large subnet with short leases and, you can configure the local-probe-request threshold and the auth request threshold at 25 or more on that SSID in the advanced properties.  That will allow only people that can be seen at 25 RSSI to associate.

 

The local probe request threshold will only respond to probe requests to clients at X SNR or stronger.

The auth request threshold will only allow users to associate who are at X SNR or stronger.

 

Make them both the same number.  You can increase to 30 if you have enough density in your office and the APs are close to most people.

 

lprt.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎05-16-2011

Re: Guest Access IP address depletion

If Mahathma's problem is try to conserve the IP space and/or the air time for legitimate Corporate Guest users, then I totlly agree with Tim and Colin.

 

On the other hand, I have come across a situation whereby the Guest Wi-Fi provider denies any more clients to associate to it.  I guess there can be many reasons - e.g. run out of DHCP addresses, the internet pipe is getting congested, etc.  

 

"We are currently experiencing a high level of activity on our network and are unable to connect you to the free public Wi-Fi at this time. We apologise for any inconvenience and ask you to try and connect again shortly."

 

I'm just wondering how we can achieve this design approach?

 

Sometimes I *think* that this is better than having a huge IP space and just try to faciliate as many people as possible.

 

Thanks in advance.  

 

 

 

 

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: Guest Access IP address depletion

Kenneth Tai,

 

That makes sense, but it does not deal with the primary issue of "drive by" people consuming resources that legitimate users have a right to.  It does provide a feedback mechanism, though.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎05-16-2011

Re: Guest Access IP address depletion

Hi Colin,

 

What do I need in order to achieve this type of "feedback mechanism"? A Web Auth Server that takes in some kind of counters/statistics and once the guest users hit the high water mark (upper threahold), the Web Server will not give out the Captive Portal page for the guest users to sign on?

 

Thanks. 

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: Guest Access IP address depletion

I am not sure that data is exposed in a way that would allow it to be reflected in the web browser.  Maximum users on an SSID is not exposed.  Free DHCP leases is not exposed.  The Captive Portal only does this for controller CPU.  http://community.arubanetworks.com/t5/Controller-Based-WLANs/Why-is-Captive-Portal-Wait-Logon-wait-page-displayed-even-when/ta-p/180738



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: