I have a two SSID setup.
GUEST and SECURE.
We allow our AD users to authenticate on our SECURE 802.1x network with their own personal devices using AD credentials, however we place those devices into a separate VLAN as per clearpass. We have all our corporate owned items using the SECURE ssid, but they get placed into a separate internal VLAN per clearpass.
I would like to deny inter user traffic for those users who are on the SECURE network, but not for corporate devices. I know clearpass can assign roles back to the controller, so I'm assuming that I need to create a BYOD role and apply it, but I'm struggling with how to create the firewall policies.
I'd like DNS traffic to our two dns servers to be allowed, and web traffic out, but to deny all other traffic to our internal networks.
I wish it was as easy as deny inter use traffic, but that seems to be a VAP setting and I can't do that because some of the users on our SECURE SSID are corporate users.
Your firewall policy in your BYOD role might look like this:
any network 192.168.1.x 255.255.255.0 deny
any any any permit
It would block traffic to any device that is on the 192.168.1.x network and allow all other traffic.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.