Wireless Access

last person joined: 8 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

stopping corporate users from using guest

This thread has been viewed 44 times
  • 1.  stopping corporate users from using guest

    Posted 22 days ago
    hello Airheads,
    customer has Aruba Instant cluster.
    2 x SSID's 1. Corporate 2. Guest.
    Briefly what is happening is that corporate users are hopping onto guest SSID to get round the firewall policies on corp.
    They are blacklisting corp device MAC addresses on the guest SSID.
    There is a limit of 128 on the Instant cluster and they need to blacklist about 250 corp users.
    They are happy to go to a controller based solution but they are asking if there is a better way to achieve this.
    cheers
    Pete

    ------------------------------
    Pete Elms
    ------------------------------


  • 2.  RE: stopping corporate users from using guest

    Posted 21 days ago
    Do they have corporate control of those devices through group policy?  Why don't they push the guest SSID with a WEP key to Windows devices?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: stopping corporate users from using guest

    Posted 21 days ago
    hi Colin,
    not sure i understand your reply.
    they have 2 x SSID's corp and guest.
    Guest SSID has a PSK but the corp users know what it is.
    They have to hand out the PSK to visitors that want to use the guest SSID.
    cheers
    pete

    ------------------------------
    Pete Elms
    ------------------------------



  • 4.  RE: stopping corporate users from using guest

    Posted 21 days ago
    Ok,
    do you mean push out a FALSE WEP key (for the guest SSID) to corp users through group policy?
    CHEERS
    PETE

    ------------------------------
    Pete Elms
    ------------------------------



  • 5.  RE: stopping corporate users from using guest

    Posted 21 days ago
    What devices are the corporate users using to get on the guest WLAN?  If they are windows devices with group policy, configure the corporate devices with the guest SSID, but the wrong preshared key, so they will not be able to connect to the guest   network.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 6.  RE: stopping corporate users from using guest

    Posted 21 days ago
    hi Colin,
    nice idea just finding out from customer if this idea is applicable.
    As you say "if they are ALL corp devices AND Windows and  as a consequence under AD policy" , then
    this looks great.
    Just waiting for reply from customer.
    thanks again
    pete

    ------------------------------
    Pete Elms
    ------------------------------



  • 7.  RE: stopping corporate users from using guest

    Posted 21 days ago
    If you have ClearPass or another RADIUS solution, you could do it through that easily by doing external MAC Authentication.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 8.  RE: stopping corporate users from using guest

    Posted 20 days ago
    As long as you are using GPO why use this false-key method when you can just as easily use the "deny connection to these SSIDs" feature?


  • 9.  RE: stopping corporate users from using guest

    Posted 20 days ago
    In Windows environment we use GPO to prevent devices from connecting to the guest SSID.
    But you should really consider what you want to achieve with this approach, because the users can still connect to phone hotspot, coffee shop, home SSID, etc. and your guest network is probably the same as those in terms of access isn't it?
    The controls should really be done on the endpoints and the servers these days.


  • 10.  RE: stopping corporate users from using guest

    Posted 20 days ago
    thanks for your reply.
    Still waiting on confirmation that all devices are Windows.

    ------------------------------
    Pete Elms
    ------------------------------



  • 11.  RE: stopping corporate users from using guest

    Posted 15 days ago
    You've had some good suggestions here. It may be that you require a multi-tiered approach to achieve the best outcome. It's hard to see how a controller based solution would provide any advantage. Some smarter authentication of clients seems like it might be the best approach.

    1. If the corporate clients are domain joined Windows machines you can push policy to deny them connecting to specific SSIDs.
    2. Blocking MAC addresses within the cluster is possible but as you've found there is a limit on deny-list sizing. 
    3. The deny-list limit can be overcome by performing MAC authentication against a server such as ClearPass Policy Manager. CPPM gives you a lot of flexibility - but it may be too complex a solution depending on the customer.
    4. Look at changing the incentive model. Staff are incentivised to connect to the guest network because it allows them to achieve something they cannot on the corp network. Is the firewall policy too strict? vf556-2 has a good point when saying "consider what you want to achieve". If you block access to guest will they just use a mobile hotspot to achieve their goals?
    5. Change how you authenticate to the guest network. It doesn't sound like the barrier to enter the guest network is difficult enough to overcome staff connecting to it. You could require a specific sponsor to allow users on the network. 

    Would it be possible to replicate the firewall policy on the guest network as well? Should guests be able to do things that staff cannot? This is sometimes not possible because the guest network bypasses the firewall altogether.

    With ClearPass (in some organisations) I have configured the policy so that any clients that have successfully connected to corp are explicitly denied on the guest SSID.


  • 12.  RE: stopping corporate users from using guest

    Posted 14 days ago

    What we have done in our case is:

    From Domain perspective, you push a GPO which tells all the domain devices that, "Guest SSID" is prohibited and you can't access to it and as well preferred SSID is the "Staff SSID".
    In this scenario, there was no need for Clearpass or anything else.



    ------------------------------
    Shpat
    ------------------------------