Wireless Access

Reply
Contributor I

How to segment Guest users where Controller is DHCP server in flat all private network

I have a client with a 7005 controller and a handful of APs.  He wants a Guest network that is internet only, without a cert based captive portal, with internal controller based DHCP.  The client has no public addresses.  Everything on his network is a private address space.  He has no access to the switches and router (no credentials, and no support contract).

 

I can set up a dhcp scope for Guest, create a new vlan on the controller, src-nat it, and build an open wlan for Guest users.  Guest users connect, and get an appropriate IP from the new pool.  The issue is the Guest users have access to the controller and the rest of the internal network.

 

I'm struggling with how to create a new User Role/Firewall Policy that prohibits access to the internal network, which is in the same address space as the controller. 

Guru Elite

Re: How to segment Guest users where Controller is DHCP server in flat all private network

Deny all internal IP space in your user role then put an allowall.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: How to segment Guest users where Controller is DHCP server in flat all private network

The entire internal network opeates in the 192.168.100.0/24 address space.  The WLC/internal servers/all internal networked resources have an IP in this network.  The client insisted their wireless employee network use this address space.  I explained the hazards, but no dice on compliance.

 

I created a separate vlan on the controller for the Guest users, a controller based DHCP scope, and nat'd it.  Guest clients work ok.  Problem is they can get to everything.  I'm not sure how to block internal, except perhaps an 'allow all' to the controller IP, (and maybe firewall interface), and an 'any/any/any deny all' right behind it to block the rest.

Guru Elite

Re: How to segment Guest users where Controller is DHCP server in flat all private network

In the user role for the guest users, you would add a deny to internal rule then an allowall below it.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: How to segment Guest users where Controller is DHCP server in flat all private network

Very nice.  I thought the Block-Inside would kill the connections, but I added it and put it first in that user role and it works great.

 

Thanks!

Re: How to segment Guest users where Controller is DHCP server in flat all private network

make sure you put in at the top above that deny.

 

any any svc-dhcp permit

 

Otherwise, as clients do a dhcp renew they will unicst to the dhcp server and it will be blocked.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: