Wireless Access

Reply
Occasional Contributor II

One VLAN, One SSID, One IP Space but Different Roles

Thank you in advance.  I'm a little slow.  I currently have clearpass returning a role back to the Aruba controllers and it is working ok.  Each of those roles (employee, guest, etc) is associated with a different vlan and ip space.  But I was curious: Can I just have one ssid, with one vlan and one ip space but have clearpass return a different role which would restrict access?  So for example, user1 signs on to the ssid and they get the "guest" role with ip address 192.168.1.5/24.  Their role dictates they can only have internet access.  Let's say user2 signs on to the same SSID but they get the "employee" role with ip address 192.168.1.6/24.  And the employee role dictates they can have internet access plus access to the internal server.  Are 192.168.1.5 and 192.168.1.6 isolated from eachother?  I'm assuming no and I don't want a potentially virus-infected laptop in the guest role talking to computers in the employee role.  But I would like employee computers to be able to talk to eachother.  It seems I can enable client isolation but I still want employee devices to be able to talk to eachother.  I'm just curious if it is best practice to associate a unique vlan to each role?  Thanks!

Guru Elite

Re: One VLAN, One SSID, One IP Space but Different Roles

Generally it's best to keep guests and employees separated by VLAN, but then you can put all employees in the same VLAN and use different roles to differentiate access. You can also deny inter user traffic on the SSID so the users are isolated from each other.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: One VLAN, One SSID, One IP Space but Different Roles

If you're in the enterprise space or just paranoid, error on the side of caution and use VLAN separation at the very least.  You could take it a step further and dump guest into an external firewall (cisco,checkpoint,palo alto) zone.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: One VLAN, One SSID, One IP Space but Different Roles

I would like to add a question to this thread.

 

I have 3 VLANs, VLAN X and Y are separated but VLAN Z will allow different "partners" to get access through CPPM Guest and CPPM will return the proper user role to the controller depending on the crendentials.

 

I am at a loss on how to separate the users from Role A on VLAN Z from Role B on VLAN Z. They share the same IP space...

 

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite

Re: One VLAN, One SSID, One IP Space but Different Roles

If your role is blocking destination traffic to the ip address range that clients are receiving, they cannot send traffic to those devices.  If my client range is 192.168.1.x part of my role will be to block traffic to the 192.168.1.x range, and those clients will not be able to talk.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: One VLAN, One SSID, One IP Space but Different Roles

Ya agreed problem is I dont know what IP ranges I will need to block since users will receive a DHCP address from that VLAN.

 

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite

Re: One VLAN, One SSID, One IP Space but Different Roles

What you do will depend on your actual requirements.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: