Wireless Access

Reply
Contributor II

How to create a Airplay/print SSID secured for both guests and employees

Hello, we have a large network with many sites that all have Aruba MC and APs. At each of these sites, we have created an Apple Airplay/print SSID for all Apple Devices to connect to. We also have other SSIDs that employees connect to, as well as a Clearpass Guest network. The way the Airplay/print SSID is set up is even though it is a separate SSID, it is still on the same L2 VLAN as the other SSIDs. This way, even if someone is on the other SSID, they can still see the Airplay/print devices and connect to them. 

However, the Guest network has a ACL in place to drop all packets destined for the company internal networks, so it prevents guests who may come to our locations and need to present something to employees using Airplay. 

 

What we would like to do is one of two options:

1) Put an ACL or some other policy in place that prevents anyone/anything that connects to the Airplay/print SSID from accessing the company internal network, but they can see only the Airplay/print devices that are on that SSID/VLAN. (The problem with this is the AP/P devices would be on the company network and have an IP address on the internal LAN, so how would users see this if their traffic to the internal LAN is blocked by the ACL.....and wouldn't an ACL also block the AP/P devices from returning traffic to users who are on the other employee SSID who are trying to connect to it?)

2) Put a policy in place that would proxy the AppleTV traffic across all SSIDs, including the Guest network, so regardless if the AP/P device is on the internal LAN, all traffic to/from any SSID would be allowed....but considering the Guest network ACL, they ONLY thing they would see is the AP/P devices, and no access to anywhere else on the network. 

 

 

How can this be accomplished?

I'm hoping this makes sense. If not, please let me know how I can clarify better. 
Thank you very much. 

Guru Elite

Re: How to create a Airplay/print SSID secured for both guests and employees

You don't need a separate SSID for AirGroup devices.

Through AirGroup device registration, devices will be visible the devices owner or in the case of shared devices, to whoever you want.

The beauty is that "dumb" devices like printers, Chromecasts, AppleTVs, etc can have a different role and different VLAN with different policies attached.

Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: How to create a Airplay/print SSID secured for both guests and employees

Do you know of a good guide to set up AirGroup devices?

Guru Elite

Re: How to create a Airplay/print SSID secured for both guests and employees

There are some instructions in the user guide. Are you working with an Aruba partner? It may be good to have a design session with them.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: How to create a Airplay/print SSID secured for both guests and employees

Yes we do, i will contact them. Thank you very much! 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: