Wireless Access

Reply
Occasional Contributor II
Posts: 16
Registered: ‎06-22-2016

SSID for CORPORATE with no PUBLIC Access via Central

Greetings,

     Sorry for the newbie question but i'm having confusion on config.

 

    I' m trying to simulate 3 SSIDs via Aruba Central (a) Corporate with public access, (b) Guest with public access, (c) Corporate with no public access * which im having difficulty in getting IP address whenever user connects *.

 

on (a), i used "network assigned" to provide I.P address separate DHCP(internal), while I used "virtual controller assigned" on guest which is also working. On 3rd SSID, please see result of attempts below:

 

1st attempt:

employee>network assigned>passphrase> allow any to 172.16.0.0(internal network) and deny to all destination

--still user can't get any I.P and access on internal network.

 

2nd attempt.

employee>virtual contrller assigned>passphrase>deny any except to 172.16.0.0

--still user can't get any I.P and access on internal network.

 

seems basic but what could be the best access policy for this?

 

any suggestions will be greatly appreaciated. thank you :)

 

MVP
Posts: 109
Registered: ‎01-05-2015

Re: SSID for CORPORATE with no PUBLIC Access via Central

What type of DHCP are you using for the 3rd SSID? You don't seem to specify that. 

 

Have you tried adding a rule allowing DHCP client traffic to any range? See if it makes a difference. If it does, try making a packet capture of the DHCP protocol and see which address is answering. If it doesn't, check firewall to dhcp server or see configuration of scope.

 

Kind regards,

 

jcelis

Occasional Contributor II
Posts: 16
Registered: ‎06-22-2016

Re: SSID for CORPORATE with no PUBLIC Access via Central

thank you for your response jcelis.

 

    I used "network assigned" on 3rd SSID(same on 1st SSID), I also tried using virtual-controller(hoping user can get an I.P even from IAP itself) while modifying the network access policy like deny all except to a network 172.16.0.0 but still no good.

 

  As per  DHCP, 3rd and 1st SSIDs get their IPs from a same DHCP scope from an external server since it's network assigned while trying to block the public access of 3rd SSID thru applying network based access rules from Central/IAP side.

 

MVP
Posts: 109
Registered: ‎01-05-2015

Re: SSID for CORPORATE with no PUBLIC Access via Central

Ok, try allowing dhcp traffic to any destination and put it first.

 

something like:

 

user any udp 68  deny (blocking user as dhcp server)

user any svc-dhcp allow

 

 

Occasional Contributor II
Posts: 16
Registered: ‎06-22-2016

Re: SSID for CORPORATE with no PUBLIC Access via Central

are those policies can be implement here in central?

Capture.JPG

MVP
Posts: 109
Registered: ‎01-05-2015

Re: SSID for CORPORATE with no PUBLIC Access via Central

Yes, they should be in the ACL list for that SSID.

Search Airheads
Showing results for 
Search instead for 
Did you mean: