Wireless Access

Hi,

we have a little thing I'd like to know if it's possible with Aruba. First let me fill you in on the situation here.

We have some departments that were forbidden (by the HR director) to listen to streaming radio, but not everyone (some departments are allowed to listen). However, there's one particular person that keeps on listening (on a pretty loud volume). So I blocked his username on our (non-Aruba) firewalls. That worked, but now he uses different usernames and different windows 8 tablets as a workaround. This means we are always one step behind.

All over our company there are the same 2 SSIDs. The person that's "rebelling" is always on the same AP. Now my question is if it's possible to block a public IP on one particular AP? It can't be blocked all over the company, just on the one AP. (the "rebel" is always streaming from the same public IP)

Thanks for your feedback!

Hi,

You can configure a role and map a policy which will block that specific traffic (Service or App). now map this role to the department which is not suppose to access the Radio service. an other work around is try with AP specific configuration.

Please feel free if you need some more help on this.

Thanks for your reply.

Correct me when I'm wrong, but when you apply a role, this gets applied to an entire SSID correct?

If so, then that is not an option: the SSIDs are the same all over the company and some other departments are allowed to stream. It's only on one AP - that broadcasts the same SSIDs - that the IP needs to be blocked.

Is that possible?

Thanks!

Hi,

First of all are you using any external authentication server ? if yes, and if you are using servers like CPPM, NPS, we can configure something called SDR ( Server derived role), when any user authenticated based on his user group ( example) server will return a role to the controller and controller will map that role to that user.

Ex : Dept 1--Allow all, Dept 2 --Allow all except Radio.

Role 1 -- Allow all, Role 2--No Radio, allow all policies

Now when a user from dept 1 login, server will return a role called Role1 and user will be allowed access as per the Role 1 policy, similarly when a user from Dept 2 login, server will return Role2 and user will be allowed access the network as per the Role 2.

Hope got some more clarity, if not please feel free come back.

Hi,

We have 2 SSIDs:

- users get authenticated through a RADIUS server (with a user/machine certificate) ==> this one is already ok by our firewalls

- users get authenticated through a WPA2 key (user traffic follows another way) ==> this one is my question about

So if I understand correctly, we should use a workaround for this:

1) I should duplicate the roles and add the radio part.

2) Then I need to apply those duplicated roles to that one AP.

3) Finally the original VAPs need to be excluded from that AP.

Hi, 

There are two ways to achieve this.

1. Through SDR ( Server derived role) which is highly recommended method, because you are using RADIUS for authentication

2. Create a separate VAP with all desired restrictions (Through AAA profile and Default role)  and map that to a specific AP.

If you need some help on the first method , please share your actual scenario or open a TAC ticket.

Please feel free for any further help on this.

Hi,

I managed to make it work by doing the following:

exclude the original VAP on the AP, create a new VAP with the same role (same SSID, but) +1 rule and added it to the particular AP.

Tests seemed positive.

Thanks for the help!