Wireless Access

Hello,

I would like to make a setup that allows  the same functionality as is possible with Aruba Instant (in Central) and MPSK-Local, but with Mobility Conductor/Controllers: you configure a few passkeys, and depending on the passkey entered when connecting to the WLAN, you get a different role (and VLAN!).

Situation: a customer with a MM/MC setup (and Clearpass). They have multiple spaces which are rented by different partners. We would like to provide wireless access to those partners with as little input from helpdesk as possible, so no creating guest devices or guest accounts or..., just an SSID and a passkey for each partner. Since there can sometimes be more than 15 partners in 1 building, we want to limit the number of SSID's. So ideally we create 1 SSID, give each partner a different passkey and configure the underlaying networking for them (there will also be wired printers and the likes). That way they can connect their wireless clients with their own passkey and stay within their own subnet.

On the controllers the only option is MPSK with Clearpass as authentication server; we could do that but that means device administration within Clearpass by the helpdesk; or self-registration + choosing  the correct  partner/vlan by the users (which frankly, they will mess up and the issue will come back to the helpdesk anyway)

Is there an alternative with the hardware we have? Some effort in the initial setup is no problem, but for day-to-day use it should be as effortless as possible. The possibility of the PSK being compromised for one of those partners is no real concern.

Thank you for your input,

------------------------------
Kris
------------------------------

Why not Guest Accounts? We currently use long term ClearPass Guest Accounts for events on campus. With Guest Accounts it would be trivial to assign differing roles.

Our vendor VPN solution currently makes use of AD accounts & groups for access. We also use those groups to provide minimal secure access. They can then use their VPN software to get their specific authorization levels.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 15, 2022 07:50 AM
From: Kris Vervisch
Subject: MPSK-Local alternative for MM/MC setup

Hello,

I would like to make a setup that allows  the same functionality as is possible with Aruba Instant (in Central) and MPSK-Local, but with Mobility Conductor/Controllers: you configure a few passkeys, and depending on the passkey entered when connecting to the WLAN, you get a different role (and VLAN!).

Situation: a customer with a MM/MC setup (and Clearpass). They have multiple spaces which are rented by different partners. We would like to provide wireless access to those partners with as little input from helpdesk as possible, so no creating guest devices or guest accounts or..., just an SSID and a passkey for each partner. Since there can sometimes be more than 15 partners in 1 building, we want to limit the number of SSID's. So ideally we create 1 SSID, give each partner a different passkey and configure the underlaying networking for them (there will also be wired printers and the likes). That way they can connect their wireless clients with their own passkey and stay within their own subnet.

On the controllers the only option is MPSK with Clearpass as authentication server; we could do that but that means device administration within Clearpass by the helpdesk; or self-registration + choosing  the correct  partner/vlan by the users (which frankly, they will mess up and the issue will come back to the helpdesk anyway)

Is there an alternative with the hardware we have? Some effort in the initial setup is no problem, but for day-to-day use it should be as effortless as possible. The possibility of the PSK being compromised for one of those partners is no real concern.

Thank you for your input,

------------------------------
Kris
------------------------------

Hello Bruce,

Thank you for your message. I have 2 issues with the use of the Guest accounts. 

The biggest problem is that we need to change the VLAN (and IP) after login. The clients needs to re-ip and that is an issue when using captive portal.

Another possible issue is when connecting devices that have no possibility of displaying the captive portal, for example a wireless printer that only allows you to configure the SSID and PSK. Admittedly these cases will be rare, so helpdesk could intervene here...


------------------------------
Kris Vervisch
------------------------------

Original Message:
Sent: Apr 19, 2022 07:49 AM
From: Bruce Osborne
Subject: MPSK-Local alternative for MM/MC setup

Why not Guest Accounts? We currently use long term ClearPass Guest Accounts for events on campus. With Guest Accounts it would be trivial to assign differing roles.

Our vendor VPN solution currently makes use of AD accounts & groups for access. We also use those groups to provide minimal secure access. They can then use their VPN software to get their specific authorization levels.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 15, 2022 07:50 AM
From: Kris Vervisch
Subject: MPSK-Local alternative for MM/MC setup

Hello,

I would like to make a setup that allows  the same functionality as is possible with Aruba Instant (in Central) and MPSK-Local, but with Mobility Conductor/Controllers: you configure a few passkeys, and depending on the passkey entered when connecting to the WLAN, you get a different role (and VLAN!).

Situation: a customer with a MM/MC setup (and Clearpass). They have multiple spaces which are rented by different partners. We would like to provide wireless access to those partners with as little input from helpdesk as possible, so no creating guest devices or guest accounts or..., just an SSID and a passkey for each partner. Since there can sometimes be more than 15 partners in 1 building, we want to limit the number of SSID's. So ideally we create 1 SSID, give each partner a different passkey and configure the underlaying networking for them (there will also be wired printers and the likes). That way they can connect their wireless clients with their own passkey and stay within their own subnet.

On the controllers the only option is MPSK with Clearpass as authentication server; we could do that but that means device administration within Clearpass by the helpdesk; or self-registration + choosing  the correct  partner/vlan by the users (which frankly, they will mess up and the issue will come back to the helpdesk anyway)

Is there an alternative with the hardware we have? Some effort in the initial setup is no problem, but for day-to-day use it should be as effortless as possible. The possibility of the PSK being compromised for one of those partners is no real concern.

Thank you for your input,

------------------------------
Kris
------------------------------

We purposely designed our Guest access to not need VLan changes because the AOS firewall provides adequate restrictions..

Guest access is meant for temporary access to enterprise guests. We are moving toward TLS for our printers. when we had wireless printers, we used MAC Address authentication. WPA2-PSK is designed for home use, not enterprise. Unless the prointers process PCI data, encryption is likely nt needed so MAC Auth would work well.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 25, 2022 08:43 AM
From: Kris Vervisch
Subject: MPSK-Local alternative for MM/MC setup

Hello Bruce,

Thank you for your message. I have 2 issues with the use of the Guest accounts. 

The biggest problem is that we need to change the VLAN (and IP) after login. The clients needs to re-ip and that is an issue when using captive portal.

Another possible issue is when connecting devices that have no possibility of displaying the captive portal, for example a wireless printer that only allows you to configure the SSID and PSK. Admittedly these cases will be rare, so helpdesk could intervene here...


------------------------------
Kris Vervisch

Original Message:
Sent: Apr 19, 2022 07:49 AM
From: Bruce Osborne
Subject: MPSK-Local alternative for MM/MC setup

Why not Guest Accounts? We currently use long term ClearPass Guest Accounts for events on campus. With Guest Accounts it would be trivial to assign differing roles.

Our vendor VPN solution currently makes use of AD accounts & groups for access. We also use those groups to provide minimal secure access. They can then use their VPN software to get their specific authorization levels.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 15, 2022 07:50 AM
From: Kris Vervisch
Subject: MPSK-Local alternative for MM/MC setup

Hello,

I would like to make a setup that allows  the same functionality as is possible with Aruba Instant (in Central) and MPSK-Local, but with Mobility Conductor/Controllers: you configure a few passkeys, and depending on the passkey entered when connecting to the WLAN, you get a different role (and VLAN!).

Situation: a customer with a MM/MC setup (and Clearpass). They have multiple spaces which are rented by different partners. We would like to provide wireless access to those partners with as little input from helpdesk as possible, so no creating guest devices or guest accounts or..., just an SSID and a passkey for each partner. Since there can sometimes be more than 15 partners in 1 building, we want to limit the number of SSID's. So ideally we create 1 SSID, give each partner a different passkey and configure the underlaying networking for them (there will also be wired printers and the likes). That way they can connect their wireless clients with their own passkey and stay within their own subnet.

On the controllers the only option is MPSK with Clearpass as authentication server; we could do that but that means device administration within Clearpass by the helpdesk; or self-registration + choosing  the correct  partner/vlan by the users (which frankly, they will mess up and the issue will come back to the helpdesk anyway)

Is there an alternative with the hardware we have? Some effort in the initial setup is no problem, but for day-to-day use it should be as effortless as possible. The possibility of the PSK being compromised for one of those partners is no real concern.

Thank you for your input,

------------------------------
Kris
------------------------------

I have been doing some more testing to arrive at a workable situation:

- 1 VLAN/Subnet for the partner wireless where all devices will land
- for now wireless only with MAC authentication, later I could add a captive portal with a username/pwd per partner that returns the correct role, so same credentials for all devices from 1 partner
- a user role on the controller that is returned after successful mac auth that looks like this:
Now here's the catch for the line in red, I didn't know this is possible:
This works, so traffic between clients with the same user role is allowed, other traffic (to another user role or to internal IP's) is blocked and internet traffic allowed.

We can live with this BUT there seems to be a bug here... The setup is a cluster of 2 Aruba 7210 controllers.
If both users with the same Partner_xxx userrole have the same UAC they can communicate, if they have a different UAC they can't communicate.

I'll start by making a TAC case, but maybe others have experienced this too?



------------------------------
Kris Vervisch
------------------------------

Original Message:
Sent: Apr 25, 2022 08:54 AM
From: Bruce Osborne
Subject: MPSK-Local alternative for MM/MC setup

We purposely designed our Guest access to not need VLan changes because the AOS firewall provides adequate restrictions..

Guest access is meant for temporary access to enterprise guests. We are moving toward TLS for our printers. when we had wireless printers, we used MAC Address authentication. WPA2-PSK is designed for home use, not enterprise. Unless the prointers process PCI data, encryption is likely nt needed so MAC Auth would work well.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 25, 2022 08:43 AM
From: Kris Vervisch
Subject: MPSK-Local alternative for MM/MC setup

Hello Bruce,

Thank you for your message. I have 2 issues with the use of the Guest accounts. 

The biggest problem is that we need to change the VLAN (and IP) after login. The clients needs to re-ip and that is an issue when using captive portal.

Another possible issue is when connecting devices that have no possibility of displaying the captive portal, for example a wireless printer that only allows you to configure the SSID and PSK. Admittedly these cases will be rare, so helpdesk could intervene here...


------------------------------
Kris Vervisch

Original Message:
Sent: Apr 19, 2022 07:49 AM
From: Bruce Osborne
Subject: MPSK-Local alternative for MM/MC setup

Why not Guest Accounts? We currently use long term ClearPass Guest Accounts for events on campus. With Guest Accounts it would be trivial to assign differing roles.

Our vendor VPN solution currently makes use of AD accounts & groups for access. We also use those groups to provide minimal secure access. They can then use their VPN software to get their specific authorization levels.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 15, 2022 07:50 AM
From: Kris Vervisch
Subject: MPSK-Local alternative for MM/MC setup

Hello,

I would like to make a setup that allows  the same functionality as is possible with Aruba Instant (in Central) and MPSK-Local, but with Mobility Conductor/Controllers: you configure a few passkeys, and depending on the passkey entered when connecting to the WLAN, you get a different role (and VLAN!).

Situation: a customer with a MM/MC setup (and Clearpass). They have multiple spaces which are rented by different partners. We would like to provide wireless access to those partners with as little input from helpdesk as possible, so no creating guest devices or guest accounts or..., just an SSID and a passkey for each partner. Since there can sometimes be more than 15 partners in 1 building, we want to limit the number of SSID's. So ideally we create 1 SSID, give each partner a different passkey and configure the underlaying networking for them (there will also be wired printers and the likes). That way they can connect their wireless clients with their own passkey and stay within their own subnet.

On the controllers the only option is MPSK with Clearpass as authentication server; we could do that but that means device administration within Clearpass by the helpdesk; or self-registration + choosing  the correct  partner/vlan by the users (which frankly, they will mess up and the issue will come back to the helpdesk anyway)

Is there an alternative with the hardware we have? Some effort in the initial setup is no problem, but for day-to-day use it should be as effortless as possible. The possibility of the PSK being compromised for one of those partners is no real concern.

Thank you for your input,

------------------------------
Kris
------------------------------