Wireless Access

Reply
Contributor II

No Web Access SSID Legacy devices

I am in the process of creating a what I call is a service SSID.  The purpose of this network is to allow staff to enroll chromebooks into the google console and Apple devices into the DEP program, and connect window machines to the domain, also to allow legacy and non dotx devices on to the network with a password.  The key to this is that there is no web access. 

 

I have gotten the list of ports need to enroll devices, allow printing, and other network functions (tftp, ftp, telnet, and so on).  Should the last policy in the list be (user any svc-web [80,8080] deny )?

 

 

Brian Warren

Re: No Web Access SSID Legacy devices

As i undesrtandyou want to allow x,y,z ports and then deny all the other ports?

If that so

Just build a role which has a policy in which you allow access to the ports you need and thats it.   There is a implicit deny all at the end, the 80 port will be denied by this implicit policy.

 

If you only want to deny port 80 and 8080, then the first rule you deny those ports, and then permit all the other ports.. it all depends on what you want to do....

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II

Re: No Web Access SSID Legacy devices

thanks. this my first attempt at doing something like this.


#AirheadsMobile
Brian Warren

Re: No Web Access SSID Legacy devices

i can upload some example later if you not clear

Just llet me know.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II

Re: No Web Access SSID Legacy devices

I would love to see the examples.

 

Thanks

Brian Warren

Re: No Web Access SSID Legacy devices

Hello

Okay if you want only to allow some ports for example im just allowing DHCP ports ill do thisCapture.PNGWith the implicit deny deny all, he will deny all the other ports.. so you just need to do that

 

 

Now if you want to deny for example web ports(80,443) and allow all the other ports i would  this.Capture1.PNG

 

You see that i did add a any any permit at the end, that will allow all ports and all destinations but since the deny web service ports is before that he will deny those ports

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II

Re: No Web Access SSID Legacy devices

OK,  I have found out that to enroll the device into Apple DEP the web ports need to be allowed.  The device hits Apple.com in some fashion and is recognized.  It is then sent to our internal server for enrollment.  But it does not use our internal IP (I do not think).  Somehow it is allowed for enrollment.  How do I configure this and not allow the user to surf to other sites and just connect to the production network?  (redirect to a portal)  Or can you take devices by OS that are not allowed on the production network and send them to Apple.com?  

Brian Warren
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: