Wireless Access

Reply
Frequent Contributor II

Restrict Captive Portal - Internal Database & Bandwidth Contracts

We are using a 3200XM controller running 6.3.1.4. We've got two different SSID's both of whic using Captive portal (No Clearpass). Authentication is the internal database. Let's call one SSID, "Guest" & the other "Employee". What can I do to prevent guests from logging into the crew captive portal and vice versa? The reason we want two seperate SSID's is that we have an upstream device that restricts bandwidth out to the internet based on the VLAN.

 

The alternative we tried was to combine the two into one captive portal (one VLAN) & then use a different role for "guest" clients and "employee" clients. This works fine for authentication, however it does NOT allow us to restrict bandwidth like we need to. The lowest you can set a bandwidth contract is 256Kb and we need to go lower than that. 

 

Thoughts?

Network Engineer | Airhead | Titus 3:5
Guru Elite

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

If your network is so small that you can combine all of your users into the internal database, you should use a single Captive Portal.  Adding a different SSID just increases wifi contention and does not buy you anything. You cannot go lower than 256k, because even  a 512k bandwidth contract is almost unusable.  I am not sure there is a way to reject users from the internal database based on role.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

The reason we've needed two SSID's is so that "employees" & "guests" are in seperate VLANs. If there was a way to reliably assign them to different VLANs while using 1 SSID, then I'd do it. Based on what I've read, clients do not take well to renewing DHCP once authenticated via CP.

 

Network Engineer | Airhead | Titus 3:5
Frequent Contributor II

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

Any other thoughts or suggestions on this? I'm curious if anyone else has tried to use two different captive portals with one internal database and how they handled roles/permissions.

Network Engineer | Airhead | Titus 3:5
Guru Elite

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

The internal database is only intended for small deployments with a single captive portal.  There are external options if you have more than one set of users that are trying to get on.  If you have employees, why don't you authenticate them against whatever employee database you have like AD, otherwise, just treat everyone like guests...?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

cjoseph, using AD is actually a pretty good idea. We do have a single Server 2012 DC running AD. The majority of the devices are either iDevices or Apple Mac's. Do you think we could still leverage AD authentication for that?

Network Engineer | Airhead | Titus 3:5
Guru Elite

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

Yes. You can add it as a radius or LDAP server.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

I'm definitely going to look into this as an option. I guess I assumed that configuring that would be more trouble than its worth, but it may be the key to geting this ironed out.

Network Engineer | Airhead | Titus 3:5
Guru Elite

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

You should go all the way and configure NPS with 802.1x for your employees. You don't want them to have their data unprotected.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Restrict Captive Portal - Internal Database & Bandwidth Contracts

Well, this is a unique environment. it's actually a very large boat. The crew tend to come & go & we need to make adding/removing/changing devices very simple. :-)

Network Engineer | Airhead | Titus 3:5
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: