Security

Hi All,

I have couple Chromecast that I was planning to put in the SSID IOT with users in SSID Corp. Sadly I read that it is not possible to screen to a chrome cast from a different SSID. So, I had the idea to create a new SSID named casting.

My Corp SSID is configured as follow:

 - WPA 2 Enterprise

-- Services with PEAP and TLS enabled

-- RoleMapping AD group for users mapped to role users and AD group for guests mapped to role guest

-- Enforcement TLS + role users VLAN 44

-- Enforcement PEAP + role users VLAN 41

-- Enforcement PEAP + role guests VLAN 43

Second SSID is IOT and this is configured as follow:

- WPA 2 Personal MPSK

-- Services Allow ALL MAC with Guest Device Repository

-- Enforcement VLAN 42

My idea for the third SSID Casting was as follow:

- WPA 2 Personal, with MAC auth enabled

-- Services Allow ALL MAC with Endpoints Repository

-- Rolemapping that the endpoint status need to be known

-- Enforcement that the endpoint group is casting and force Guest VLAN 43

However, status stays logon (default role)

What do I miss in my configuration?

------------------------------
Mark Raats
CWNE #290
Goal 2021: ACMA, ACCA
------------------------------

Hi Mark,

I have two SSID's with the same VLAN ID and casting is working fine. When cast to another VLAN you need a multicast router to forward mulitcast traffic (afaik, igmp snooping on your edgeswitch should work), without a multicast router  your multicast edge is the broadcast domein (VLAN).
------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
------------------------------

Original Message:
Sent: Dec 19, 2020 10:03 AM
From: Mark Raats
Subject: Aruba MM SSID PSK - Clearpass - MAB - Endpoint Repository

Hi All,

I have couple Chromecast that I was planning to put in the SSID IOT with users in SSID Corp. Sadly I read that it is not possible to screen to a chrome cast from a different SSID. So, I had the idea to create a new SSID named casting.

My Corp SSID is configured as follow:

 - WPA 2 Enterprise

-- Services with PEAP and TLS enabled

-- RoleMapping AD group for users mapped to role users and AD group for guests mapped to role guest

-- Enforcement TLS + role users VLAN 44

-- Enforcement PEAP + role users VLAN 41

-- Enforcement PEAP + role guests VLAN 43

Second SSID is IOT and this is configured as follow:

- WPA 2 Personal MPSK

-- Services Allow ALL MAC with Guest Device Repository

-- Enforcement VLAN 42

My idea for the third SSID Casting was as follow:

- WPA 2 Personal, with MAC auth enabled

-- Services Allow ALL MAC with Endpoints Repository

-- Rolemapping that the endpoint status need to be known

-- Enforcement that the endpoint group is casting and force Guest VLAN 43

However, status stays logon (default role)

What do I miss in my configuration?

------------------------------
Mark Raats
CWNE #290
Goal 2021: ACMA, ACCA
------------------------------