Controllerless Networks

Just switched a School District over to Aruba and have a question:

We offer a class in Cyber Security where the students are using laptops loaded up with all the software you don't want on your network (packet sniffers, pen testing, port scanners, etc.)  Right now I have them on their own SSID which is statically assigned to their own VLAN and walled off from the rest of the network.

In the interest of cutting back on the number of SSIDs, I'm considering giving them their own MPSK (Local) for the primary SSID and using Dynamic (Role-Based) VLAN assignment to dump them off in the appropriate VLAN... If they are connected to the same SSID but using a different key, is there any possibility that they can access the primary network?  It seems to me that this MIGHT be safe since the traffic is encrypted differently, but I wanted to get some opinions before I went any further.

Thank you.

with MPSK you can have the ioT/users in different VLANs and then apply various access policies based on the user-role
Check this tutorial on AOS10 and MPSK.

https://community.arubanetworks.com/community-home/digestviewer/viewthread?GroupId=7&MessageKey=52a23f14-0303-4615-b3ab-3bd0b65f225e

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jan 04, 2022 02:59 PM
From: Scott Organ
Subject: How safe are dynamic VLANs on the same SSID

Just switched a School District over to Aruba and have a question:

We offer a class in Cyber Security where the students are using laptops loaded up with all the software you don't want on your network (packet sniffers, pen testing, port scanners, etc.)  Right now I have them on their own SSID which is statically assigned to their own VLAN and walled off from the rest of the network.

In the interest of cutting back on the number of SSIDs, I'm considering giving them their own MPSK (Local) for the primary SSID and using Dynamic (Role-Based) VLAN assignment to dump them off in the appropriate VLAN... If they are connected to the same SSID but using a different key, is there any possibility that they can access the primary network?  It seems to me that this MIGHT be safe since the traffic is encrypted differently, but I wanted to get some opinions before I went any further.

Thank you.

Hi Ariyap,

Aruba MPSK  works together with Aruba ClearPass. 

1. The Aruba controller does a mac-authentication to ClearPass (not the client).
2. ClearPass lookup for the client mac-address in the Guest Module under Devices
3. In the Guest Module each client mac-address have his own PSK and Role assigned in the Device database.
4. ClearPass answer with a RADIUS packet to the controller to instruct which PSK must be allowed for this mac address.
5. ClearPass answer with a RADIUS packet to the controller to instruct which VLAN the client must be placed in (based on his role and policy decision).

I think the mac-address can be spoofed but you always need to known the PSK bound to this mac-address, thats unique. And aslong the mac-address and PSK are used to gether you always get back the same PSK, Role and VLAN in the RADIUS response to the controller.

Back to the authentication phases on the controller:
1. 802.11 association
2. 802.11 authentication
3. MPSK Process
4. PSK exchange / 4-way handshake
5. Assign Vlan/Role
6. Layer 3 DHCP Request

The way how dynamic vlans itself works are safe, the RADIUS traffic happens between Controller and ClearPass in the management VLAN (not vissible to the client). ClearPass instruct the controller to which VLAN must be used to the client, based on the ClearPass policy. When the management VLAN is untrusted you can also use RADSEC to encapsulate and encrypt the RADIUS traffic.

MPSK is most often used for IOT devices (devices that don't support 802.1x for example older printer, camera's, etc. It's in my opinion less suitable for guest or byod devices because you have to register each mac-address in the database and can easy overwhelm your Servicedesk. For BYOD like devices, Aruba ClearPass Onboard is more suitable where unmanaged clients can use EAP-TLS (certificate) based authentication, which is the holy grail / most secure authentication method we known those days.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Original Message:
Sent: Jan 05, 2022 06:31 PM
From: Ariya Parsamanesh
Subject: How safe are dynamic VLANs on the same SSID

with MPSK you can have the ioT/users in different VLANs and then apply various access policies based on the user-role
Check this tutorial on AOS10 and MPSK.

https://community.arubanetworks.com/community-home/digestviewer/viewthread?GroupId=7&MessageKey=52a23f14-0303-4615-b3ab-3bd0b65f225e

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 04, 2022 02:59 PM
From: Scott Organ
Subject: How safe are dynamic VLANs on the same SSID

Just switched a School District over to Aruba and have a question:

We offer a class in Cyber Security where the students are using laptops loaded up with all the software you don't want on your network (packet sniffers, pen testing, port scanners, etc.)  Right now I have them on their own SSID which is statically assigned to their own VLAN and walled off from the rest of the network.

In the interest of cutting back on the number of SSIDs, I'm considering giving them their own MPSK (Local) for the primary SSID and using Dynamic (Role-Based) VLAN assignment to dump them off in the appropriate VLAN... If they are connected to the same SSID but using a different key, is there any possibility that they can access the primary network?  It seems to me that this MIGHT be safe since the traffic is encrypted differently, but I wanted to get some opinions before I went any further.

Thank you.

note that Instant APs (controller less) also support MPSK with ClearPass and also MPSK Local that does not need ClearPass, for smaller scale deployment.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jan 05, 2022 07:04 PM
From: marcel koedijk
Subject: How safe are dynamic VLANs on the same SSID

Hi Ariyap,

Aruba MPSK  works together with Aruba ClearPass. 

1. The Aruba controller does a mac-authentication to ClearPass (not the client).
2. ClearPass lookup for the client mac-address in the Guest Module under Devices
3. In the Guest Module each client mac-address have his own PSK and Role assigned in the Device database.
4. ClearPass answer with a RADIUS packet to the controller to instruct which PSK must be allowed for this mac address.
5. ClearPass answer with a RADIUS packet to the controller to instruct which VLAN the client must be placed in (based on his role and policy decision).

I think the mac-address can be spoofed but you always need to known the PSK bound to this mac-address, thats unique. And aslong the mac-address and PSK are used to gether you always get back the same PSK, Role and VLAN in the RADIUS response to the controller.

Back to the authentication phases on the controller:
1. 802.11 association
2. 802.11 authentication
3. MPSK Process
4. PSK exchange / 4-way handshake
5. Assign Vlan/Role
6. Layer 3 DHCP Request

The way how dynamic vlans itself works are safe, the RADIUS traffic happens between Controller and ClearPass in the management VLAN (not vissible to the client). ClearPass instruct the controller to which VLAN must be used to the client, based on the ClearPass policy. When the management VLAN is untrusted you can also use RADSEC to encapsulate and encrypt the RADIUS traffic.

MPSK is most often used for IOT devices (devices that don't support 802.1x for example older printer, camera's, etc. It's in my opinion less suitable for guest or byod devices because you have to register each mac-address in the database and can easy overwhelm your Servicedesk. For BYOD like devices, Aruba ClearPass Onboard is more suitable where unmanaged clients can use EAP-TLS (certificate) based authentication, which is the holy grail / most secure authentication method we known those days.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Jan 05, 2022 06:31 PM
From: Ariya Parsamanesh
Subject: How safe are dynamic VLANs on the same SSID

with MPSK you can have the ioT/users in different VLANs and then apply various access policies based on the user-role
Check this tutorial on AOS10 and MPSK.

https://community.arubanetworks.com/community-home/digestviewer/viewthread?GroupId=7&MessageKey=52a23f14-0303-4615-b3ab-3bd0b65f225e

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jan 04, 2022 02:59 PM
From: Scott Organ
Subject: How safe are dynamic VLANs on the same SSID

Just switched a School District over to Aruba and have a question:

We offer a class in Cyber Security where the students are using laptops loaded up with all the software you don't want on your network (packet sniffers, pen testing, port scanners, etc.)  Right now I have them on their own SSID which is statically assigned to their own VLAN and walled off from the rest of the network.

In the interest of cutting back on the number of SSIDs, I'm considering giving them their own MPSK (Local) for the primary SSID and using Dynamic (Role-Based) VLAN assignment to dump them off in the appropriate VLAN... If they are connected to the same SSID but using a different key, is there any possibility that they can access the primary network?  It seems to me that this MIGHT be safe since the traffic is encrypted differently, but I wanted to get some opinions before I went any further.

Thank you.