Wireless Access

Reply
New Contributor

Restrict access via Roles on one SSID

Hi all, 

 

first of all, I am all new to the aruba stuff as for the last couple of years I was a wireless engineer at a cisco-only partner. So there might be 1 - 3 things I am still missing but heres is what i want to do:

 

We have 17 IAPs (Mgmt network: 192.168.2.0/24) broadcasting 3 SSIDs at two locations

- Company-Guests - Captive Portal

- Company-Location1 (broadcasted only at Location 1...) - PSK

- Company-Location2 (broadcasted only at Location 2...) - PSK

 

Also we have two kinds of clients for the location SSIDs

- Tablets - restrict internet access

- everything else - no restrictions

 

What i want to implement is that when a client connects to the SSID the default role restricts the access to local resources (192.168.1.0/24) and only clients that are allowed (as there is not much fluctuation we thought we add their MACs manually to the internal server) are allowed to access everything.

 

Tried to edit the default role and configured "Deny any except to a network" - devices cant connect anymore

 

Tried to configure a "Role assignment rule" with several attributes that could reference the internal users but unfortunately this does not work the same way as the MAC-Authentication. Right?

 

Code: 6.4.4.8

 

I know that is not the best way to do this but as the customer wants to keep the PSK the same but on the other hand shared it quite alot...

 

Thanks for any response and idea in advance!

Guru Elite

Re: Restrict access via Roles on one SSID

You could change the role (which contains the firewalll policies) of a device using dhcp fingerprinting:  http://community.arubanetworks.com/t5/Controller-less-WLANs/DHCP-FINGERPRINTING-WITH-Aruba-Instant/ta-p/183272

 

This would identify the operating system following dhcp and assign a firewall policy based on that.

 

You can also create a role and test moving devices into that role using the "aaa user add" command:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-command-to-force-an-instant-role-change/ta-p/183966

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
New Contributor

Re: Restrict access via Roles on one SSID

Hey Colin,

 

thanks for the reply. I tested dhcp fingerprinting but as it seems this is not consistent. As i disconnect and reconnect my iPhone gets the default role. From the "AP User Log" i can see that no DHCP option is communicated.

 

What i got to work is blocking the traffic to the internet and still getting devices to connect to my ssid by additionally allowing dhcp to any... although it is in the same subnet and i have a rule allowing any to the subnet.

 

Any ideas how i get the role assignment to work every single time?

 

Kind regards,

Phillipp

Guru Elite

Re: Restrict access via Roles on one SSID

If a device is in the user table already, dhcp fingerprinting will probably not happen.  You should use the "disconnect-user" command when you remove a device to make sure that device is not in the user table before you test:  http://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#CLI_commands/disconnect_user.htm?Highlight=disconnect

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
New Contributor

Re: Restrict access via Roles on one SSID

But what do I do when a user disconnects and reconnects in a short period of time? The fingerprinting worked for me the first time I connected the device to the SSID but as i disconnect and reconnect no fingerprinting is done and i get full access.

Guru Elite

Re: Restrict access via Roles on one SSID

Re-reading your posts...

 

- You should be allowing DHCP to any any in all of your roles for things to work properly

- You should not be blocking traffic to the internet.

- The disconnect-user tip is only really for testing to ensure that there is no state information that will affect your testing, after you disconnect

- A client should obtain a dhcp address every time and should have some sort of dhcp fingerprint.

- What version of Instant is this, and what are your rules?

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: