Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

AOS 8 firewall config example needed

This thread has been viewed 20 times
  • 1.  AOS 8 firewall config example needed

    Posted Jan 04, 2022 09:25 AM
    My employer demands personal devices be allowed on the network for staff.

    Clearpass is not an option.

    Allow to a dhcp source
    Allow to a DNS source
    All other LAN ip blocked
    Just access to the web

    Yes I realize this is bad.  It is out of my hands.  Those who make the decisions don't understand and don't care.






    ------------------------------
    Doug Selix
    ------------------------------


  • 2.  RE: AOS 8 firewall config example needed

    EMPLOYEE
    Posted Jan 04, 2022 10:50 AM
    Create a role that implements these access controls. And make sure that personal devices get this role. Depending on the authentication method, you may be able from the controller to assign the role, or create a new SSID and allow personal devices on there.

    Without details on authentication, and how you could recognize corporate versus personal device, it's hard to suggest beyond what is above. If you have an Aruba partner, you may setup a call with them to discuss the options. ClearPass may make it easier, but alternatives may be available.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: AOS 8 firewall config example needed

    Posted Jan 04, 2022 11:00 AM
    Plain old WPA2 


    ------------------------------
    Doug Selix
    ------------------------------



  • 4.  RE: AOS 8 firewall config example needed

    EMPLOYEE
    Posted Jan 04, 2022 11:30 AM
    WPA2 with PSK, or WPA2 with dot1x?

    ------------------------------
    Charlie Clemmer
    ------------------------------



  • 5.  RE: AOS 8 firewall config example needed

    Posted Jan 04, 2022 11:34 AM
    Just PSK, no 1x

    Anything I try to limit will eventually get overridden.  (k-12) teachers always get their way.

    So I want no LAN access, going to limit bandwidth, they can all have poor speeds I don't really care.  Just can't have them hammering our internal stuff with bad computers and phones for whatever reason.

    ------------------------------
    Doug Selix
    ------------------------------



  • 6.  RE: AOS 8 firewall config example needed

    EMPLOYEE
    Posted Jan 04, 2022 11:46 AM
    Got it. So with PSK you are limited to a couple of options.

    As Herman mentioned above, the most straight forward is a dedicated SSID for BYOD/Personal devices that meets what you have. Apply your restrictions (firewall, bandwidth limit, etc) to the default role for the SSID, and you're done until teachers start complaining that they can't access internal resources from their personal devices.

    The other option would need to take advantage of something like mac authentication on your existing SSID, with a separate role for personal devices. This is more admin intensive, as you would have to decide what role the majority of your devices should fall into, and then manually create the mac-auth policy to flip the rest of the devices into the other role. Many people start down this path, then revert after the administrative burden of handling a mac-auth list becomes too much of a hassle.

    ------------------------------
    Charlie Clemmer
    ------------------------------