Wireless Access

Reply
New Contributor

Internal DB

Hello,

 

Ive Controller 6000. We have 2 SSID. One for guest and one for staff. the guest have limitation and staff have full privilege. i want both guest and staff using internal db for authenticate.  can i seperate the internal db into two groups? current problem the guest user can access to staff ssid.

 

thanks in advance 

Aruba Employee

Re: Internal DB

It is not possible, as far as I know, to have more than one internal database. You can, however, just use different roles in the database, aka one for Guest and one for Staff.

 

My suggestion, though, would be to look into setting up a FreeRADIUS server. This runs on Linux. Move your Staff accounts over to there, and use the internal for Guest only.

 

Zach

Thanks,

Zach Jennings
Contributor I

Re: Internal DB

Are you using captive portal login for both?  Do the networks get routed to different VLANs or are they both on the same VLAN with different user roles and access?

 

It is definately possible to adjust the user role within the internal db to determine what access the user has (just as was previously mentioned).

--
Jeremy R. Wirtz
WLAN Systems Engineer
New Contributor

Re: Internal DB

Hello,

 

I have run into this situation before. You can not seperate the users in the database, however, you can apply a role to the guest user acccount within the internal database. Let's just say Guest_role is the role for now.

 

Also create a dead end VLAN. That is a vlan without a gateway or dhcp.

 

You can then create a seperate captive portal authentication profile for you internal users. This is important becuase we are going to be using a user derivation rule.

 

In the Server group, specify internal, and add a user derivation rule. The rule will read, if user role equal Guest_role set vlan to # (dead end).

 

This wil insure that any user that logs in to the employee network wit a guest account, will go no where.

 

Hope this makes sense.

New Contributor

Re: Internal DB

Hi All,

 

Thanks for the replied. Guest SSID will have different VLAN with Staff SSID but both are using Internal DB. Im afraid when our Guest try connect to Staff SSID using internal DB then Guest can access everything. Thats why im want to seperate the user. I want if Guest user cannot login into Staff SSID. any idea?

 

thanks 

Guru Elite

Re: Internal DB

Since you are using the internal database, does it mean that all the staff are sharing the same username and password?  Is it possible instead to use LDAP for staff and the internal database for guests?  That would provide the separation that you need.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: Internal DB


ndai wrote:

Hi All,

 

Thanks for the replied. Guest SSID will have different VLAN with Staff SSID but both are using Internal DB. Im afraid when our Guest try connect to Staff SSID using internal DB then Guest can access everything. Thats why im want to seperate the user. I want if Guest user cannot login into Staff SSID. any idea?

 

thanks 


Simple solution. Create a role called "guest_user" or some other role name you choose for guests. Then in that user role, set the VLAN to what you want guests to be on. Then in the internal DB, set the role of those guest users to "guest_user". That way, even if they log onto the Staff SSID, they still will get on the guest vlan. Of course, this all assumes that you are using WPA2-AES (at least for the Staff SSID), and not open or WEP.

 

You could even take this a step further and only use one SSID (again WPA2-AES). Then use the roles to determine what VLAN people get onto once they connect. As long as you are small, say less than 20 users, this probably wont be difficult to keep track of. However, once you exceed a manageable size, you really should look into LDAP or RADIUS.

Thanks,

Zach Jennings
New Contributor

Re: Internal DB

Dear Gents,

I've the same problem, Is there any document which illustrates how can I have different vlan assigments (differen IPs based on internal departments) using the same SSID based on the local Aruba DB ?

 

Guru Elite

Re: Internal DB

This original post is from 2011.  And it is talking about using the internal database for different sets of people.  In 2011 it was acceptable to enter mac addresses of devices into a database to allow people to get on the network.

 

It is now 2017, and users should be authenticated using usernames and passwords using either LDAP or 802.1x

 

In 2011, it was acceptable to give all users a different VLAN for department, because somehow it made sense.  It is now 2017 and an ip address an a VLAN are just simply ways to get traffic to and from the user and you do not have to have a complex VLAN scheme simply to get users in different departments onto the network.  You only need one VLAN, really..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: