Wireless Access

Reply
Occasional Contributor II

Two SSIDs for guest & Corporate network

Hey all,

 

I have successfully created two SSID broadcasts for my wireless environment.  The first one is an internal network and is fully secure.

 

The second one is a guest network using a username and password set up in the controllers internal database, the problem is that I can not figure out how to get the guest wireless to use a different ip range and subnet.  I tried enabling the internal DHCP server as only a handful of people will be on at any given time but each time a user connects, they still get an an ip address of 172.16.X.X and I want them to get a 10.1.10.X ip address on a different subnet.

 

The problem is that even though I have one of them set up as internal and the other as guest, I can still ping my internal servers from the guest network, and can still attach to them with the right domain credentials.

Re: Two SSIDs for guest & Corporate network

This is the way you can configure internal DHCP (make sure you don't have more than 256 users for internal DHCP , it is not recommended)

 

ip dhcp pool Test

default-router 10.10.20.1
dns-server 129.64.100.205 129.64.99.205
lease 0 1 0 0
network 10.10.20.0 255.255.255.0
authoritative

 

Read this documentation , it will guide you how configure your guest network :

http://www.arubanetworks.com/vrd/CampusWNetworksVRD/wwhelp/wwhimpl/js/html/wwhelp.htm

http://www.arubanetworks.com/wp-content/uploads/aos_guestacccess-appnote.pdf

 

 

You need to block the internal network from the GUEST role

 

Hope this helps

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Two SSIDs for guest & Corporate network

Thanks so much for your help.  I am pretty close after starting over this morning.

 

I currently have both my employee and guest wireless networks up and running.  I am not using captive portal for the guest though.  At this point, my employee network is using WPA2 Enterprise security.  It is authenticating against my radius server, which uses network credentials to log in to the wireless network(assuming they are in my wireless security group in AD).  Its IP range is 172.16.X.X/255.255.240.0

 

As far as teh guest network, I am just using the controllers internal DHCP server at a 10.10.20.0/255.255.255.0 range with the internal router being 10.10.20.1.  I am using NAT but disabled Inter-VLAN routing.

 

I am trying to figure out where to modify the user role "guest" to be blocked from the internal network but can not seem to find it anywhere.  Obviously, I don't want anyone on the guest network being able to access anything on the internal network.  I started to look for some firewall settings taht will only allow HTTP. HTTPS, and DNS for the guest access only but can't find that anywhere either.  Am I just blind or is type of stuff hidden deep in the menus.  I am also not opposed to doing everything from CLI as that is my preffered environment anyway.

 

Thanks again for the help you folks have been giving me btw.

Re: Two SSIDs for guest & Corporate network

 

1- Create a netdestination and define the internal network you don't want the guest network to access :

netdestination Internal-Network
network 172.16.0.0 255.255.0.0

2 - Create an access list to block the access to your internal network

ip access-list session block-internal-access
user alias Internal-Network any deny

 

3 - Create the access-list to allow http / https 

 

ip access-list session auth-guest-access
user any svc-http permit position 1
user any svc-https permit position 2

 

 

4-  Assign the access list to the guest user role

 

user-role auth-guest
access-list session cplogout position 1
access-list session guest-logon-access position 2
access-list session block-internal-access position 3
access-list session auth-guest-access position 4
access-list session drop-and-log position 5

 

 

 

 

Hope this helps

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Two SSIDs for guest & Corporate network

Each user role is a subset of policies. Each policy is conducted by one or more ACLs.

If you want to check what policy is assigned to a given role then navigate to Configuration - Access Control and look for the certain role. If you edit this role you can modifiy the policies (change the order, add new one etc.).

If you want to fully block the access to internal networks then I suggest you to create a new policy which consists 3 deny ACLS:

ip access-list session "block-all-internal"
alias "user" network 192.168.0.0 255.255.0.0 any deny queue low

alias "user" network 172.16.0.0 255.240.0.0 any deny queue low

alias "user" network 10.0.0.0 255.0.0.0 any deny queue low

!

After it is done add the new policy to the role and move it to the top.

By the way the default guest role is built to only allow certain traffic (dns, http, https etc.) - you may check this in the Access Control menu as mentioned above, however, it lacks the policy which blocks the internal traffic.

Occasional Contributor II

Re: Two SSIDs for guest & Corporate network

No wonder nothing you folks are writing is working.  I do not have a PEF license for firewall enforcement.  Do either of you know if it is possible to purchase the license for PEF on a end of life 651 controller?

Frequent Contributor II

Re: Two SSIDs for guest & Corporate network

I beleive you can order it, however, I definitely suggest you to ask your local Aruba sales representatives.

Occasional Contributor II

Re: Two SSIDs for guest & Corporate network

I figured as much.....I am wondering...Am I able to connect two internet lines to the controller?

 

1 is a fiber line to be used for internal traffic and net access and the second is a cable modem to be used exclusively for guest internet access only.

 

I figure if I set up a VLAN on port 5 for the cable modem, using the ISP provided router for DHCP, I could set up a guest wireless network runing independently of the fiber internet line.

 

On port 4, I configure a seperate VLAN,  which uses my internal IP and gateway that will use my existing RADIUS server as well as AD to authenticate internal access.

 

From there, If I disable Inter-VLAN routing, won't that restrict access to the other VLAN anyway?

 

Is anything I wrote above even possible using more than 1 ISP?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: