Wireless Access

last person joined: 12 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

SSID for CORPORATE with no PUBLIC Access via Central

This thread has been viewed 0 times

  • 1.  SSID for CORPORATE with no PUBLIC Access via Central

    Posted Jul 24, 2016 10:10 PM

    Greetings,

         Sorry for the newbie question but i'm having confusion on config.

     

        I' m trying to simulate 3 SSIDs via Aruba Central (a) Corporate with public access, (b) Guest with public access, (c) Corporate with no public access * which im having difficulty in getting IP address whenever user connects *.

     

    on (a), i used "network assigned" to provide I.P address separate DHCP(internal), while I used "virtual controller assigned" on guest which is also working. On 3rd SSID, please see result of attempts below:

     

    1st attempt:

    employee>network assigned>passphrase> allow any to 172.16.0.0(internal network) and deny to all destination

    --still user can't get any I.P and access on internal network.

     

    2nd attempt.

    employee>virtual contrller assigned>passphrase>deny any except to 172.16.0.0

    --still user can't get any I.P and access on internal network.

     

    seems basic but what could be the best access policy for this?

     

    any suggestions will be greatly appreaciated. thank you :)

     



  • 2.  RE: SSID for CORPORATE with no PUBLIC Access via Central

    Posted Jul 25, 2016 03:20 AM

    What type of DHCP are you using for the 3rd SSID? You don't seem to specify that. 

     

    Have you tried adding a rule allowing DHCP client traffic to any range? See if it makes a difference. If it does, try making a packet capture of the DHCP protocol and see which address is answering. If it doesn't, check firewall to dhcp server or see configuration of scope.

     

    Kind regards,

     

    jcelis



  • 3.  RE: SSID for CORPORATE with no PUBLIC Access via Central

    Posted Jul 25, 2016 03:50 AM

    thank you for your response jcelis.

     

        I used "network assigned" on 3rd SSID(same on 1st SSID), I also tried using virtual-controller(hoping user can get an I.P even from IAP itself) while modifying the network access policy like deny all except to a network 172.16.0.0 but still no good.

     

      As per  DHCP, 3rd and 1st SSIDs get their IPs from a same DHCP scope from an external server since it's network assigned while trying to block the public access of 3rd SSID thru applying network based access rules from Central/IAP side.

     



  • 4.  RE: SSID for CORPORATE with no PUBLIC Access via Central

    Posted Jul 25, 2016 04:11 AM

    Ok, try allowing dhcp traffic to any destination and put it first.

     

    something like:

     

    user any udp 68  deny (blocking user as dhcp server)

    user any svc-dhcp allow

     

     



  • 5.  RE: SSID for CORPORATE with no PUBLIC Access via Central

    Posted Jul 25, 2016 04:29 AM

    are those policies can be implement here in central?

    Capture.JPG



  • 6.  RE: SSID for CORPORATE with no PUBLIC Access via Central
    Best Answer

    Posted Jul 25, 2016 04:55 AM

    Yes, they should be in the ACL list for that SSID.