Wireless Access

My employer demands personal devices be allowed on the network for staff.

Clearpass is not an option.

Allow to a dhcp source
Allow to a DNS source
All other LAN ip blocked
Just access to the web

Yes I realize this is bad.  It is out of my hands.  Those who make the decisions don't understand and don't care.






------------------------------
Doug Selix
------------------------------

Create a role that implements these access controls. And make sure that personal devices get this role. Depending on the authentication method, you may be able from the controller to assign the role, or create a new SSID and allow personal devices on there.

Without details on authentication, and how you could recognize corporate versus personal device, it's hard to suggest beyond what is above. If you have an Aruba partner, you may setup a call with them to discuss the options. ClearPass may make it easier, but alternatives may be available.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 04, 2022 09:24 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

My employer demands personal devices be allowed on the network for staff.

Clearpass is not an option.

Allow to a dhcp source
Allow to a DNS source
All other LAN ip blocked
Just access to the web

Yes I realize this is bad.  It is out of my hands.  Those who make the decisions don't understand and don't care.






------------------------------
Doug Selix
------------------------------

Plain old WPA2 


------------------------------
Doug Selix
------------------------------

Original Message:
Sent: Jan 04, 2022 10:50 AM
From: Herman Robers
Subject: AOS 8 firewall config example needed

Create a role that implements these access controls. And make sure that personal devices get this role. Depending on the authentication method, you may be able from the controller to assign the role, or create a new SSID and allow personal devices on there.

Without details on authentication, and how you could recognize corporate versus personal device, it's hard to suggest beyond what is above. If you have an Aruba partner, you may setup a call with them to discuss the options. ClearPass may make it easier, but alternatives may be available.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 04, 2022 09:24 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

My employer demands personal devices be allowed on the network for staff.

Clearpass is not an option.

Allow to a dhcp source
Allow to a DNS source
All other LAN ip blocked
Just access to the web

Yes I realize this is bad.  It is out of my hands.  Those who make the decisions don't understand and don't care.






------------------------------
Doug Selix
------------------------------

WPA2 with PSK, or WPA2 with dot1x?

------------------------------
Charlie Clemmer
------------------------------

Original Message:
Sent: Jan 04, 2022 10:59 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

Plain old WPA2 


------------------------------
Doug Selix

Original Message:
Sent: Jan 04, 2022 10:50 AM
From: Herman Robers
Subject: AOS 8 firewall config example needed

Create a role that implements these access controls. And make sure that personal devices get this role. Depending on the authentication method, you may be able from the controller to assign the role, or create a new SSID and allow personal devices on there.

Without details on authentication, and how you could recognize corporate versus personal device, it's hard to suggest beyond what is above. If you have an Aruba partner, you may setup a call with them to discuss the options. ClearPass may make it easier, but alternatives may be available.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 04, 2022 09:24 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

My employer demands personal devices be allowed on the network for staff.

Clearpass is not an option.

Allow to a dhcp source
Allow to a DNS source
All other LAN ip blocked
Just access to the web

Yes I realize this is bad.  It is out of my hands.  Those who make the decisions don't understand and don't care.






------------------------------
Doug Selix
------------------------------

Just PSK, no 1x

Anything I try to limit will eventually get overridden.  (k-12) teachers always get their way.

So I want no LAN access, going to limit bandwidth, they can all have poor speeds I don't really care.  Just can't have them hammering our internal stuff with bad computers and phones for whatever reason.

------------------------------
Doug Selix
------------------------------

Original Message:
Sent: Jan 04, 2022 11:29 AM
From: Charlie Clemmer
Subject: AOS 8 firewall config example needed

WPA2 with PSK, or WPA2 with dot1x?

------------------------------
Charlie Clemmer

Original Message:
Sent: Jan 04, 2022 10:59 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

Plain old WPA2 


------------------------------
Doug Selix

Original Message:
Sent: Jan 04, 2022 10:50 AM
From: Herman Robers
Subject: AOS 8 firewall config example needed

Create a role that implements these access controls. And make sure that personal devices get this role. Depending on the authentication method, you may be able from the controller to assign the role, or create a new SSID and allow personal devices on there.

Without details on authentication, and how you could recognize corporate versus personal device, it's hard to suggest beyond what is above. If you have an Aruba partner, you may setup a call with them to discuss the options. ClearPass may make it easier, but alternatives may be available.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 04, 2022 09:24 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

My employer demands personal devices be allowed on the network for staff.

Clearpass is not an option.

Allow to a dhcp source
Allow to a DNS source
All other LAN ip blocked
Just access to the web

Yes I realize this is bad.  It is out of my hands.  Those who make the decisions don't understand and don't care.






------------------------------
Doug Selix
------------------------------

Got it. So with PSK you are limited to a couple of options.

As Herman mentioned above, the most straight forward is a dedicated SSID for BYOD/Personal devices that meets what you have. Apply your restrictions (firewall, bandwidth limit, etc) to the default role for the SSID, and you're done until teachers start complaining that they can't access internal resources from their personal devices.

The other option would need to take advantage of something like mac authentication on your existing SSID, with a separate role for personal devices. This is more admin intensive, as you would have to decide what role the majority of your devices should fall into, and then manually create the mac-auth policy to flip the rest of the devices into the other role. Many people start down this path, then revert after the administrative burden of handling a mac-auth list becomes too much of a hassle.

------------------------------
Charlie Clemmer
------------------------------

Original Message:
Sent: Jan 04, 2022 11:34 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

Just PSK, no 1x

Anything I try to limit will eventually get overridden.  (k-12) teachers always get their way.

So I want no LAN access, going to limit bandwidth, they can all have poor speeds I don't really care.  Just can't have them hammering our internal stuff with bad computers and phones for whatever reason.

------------------------------
Doug Selix

Original Message:
Sent: Jan 04, 2022 11:29 AM
From: Charlie Clemmer
Subject: AOS 8 firewall config example needed

WPA2 with PSK, or WPA2 with dot1x?

------------------------------
Charlie Clemmer

Original Message:
Sent: Jan 04, 2022 10:59 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

Plain old WPA2 


------------------------------
Doug Selix

Original Message:
Sent: Jan 04, 2022 10:50 AM
From: Herman Robers
Subject: AOS 8 firewall config example needed

Create a role that implements these access controls. And make sure that personal devices get this role. Depending on the authentication method, you may be able from the controller to assign the role, or create a new SSID and allow personal devices on there.

Without details on authentication, and how you could recognize corporate versus personal device, it's hard to suggest beyond what is above. If you have an Aruba partner, you may setup a call with them to discuss the options. ClearPass may make it easier, but alternatives may be available.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 04, 2022 09:24 AM
From: Doug Selix
Subject: AOS 8 firewall config example needed

My employer demands personal devices be allowed on the network for staff.

Clearpass is not an option.

Allow to a dhcp source
Allow to a DNS source
All other LAN ip blocked
Just access to the web

Yes I realize this is bad.  It is out of my hands.  Those who make the decisions don't understand and don't care.






------------------------------
Doug Selix
------------------------------