Security

last person joined: 8 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Allow Guests access to the Internet but not other machines on the LAN

  • 1.  Allow Guests access to the Internet but not other machines on the LAN

    Posted Feb 21, 2020 06:45 AM

    What Action/Destination type Access rule can I apply to our Guest network to allow access to the internet but to deny access to other machines on the LAN?

    We have an Aruba 305 AP on 192.168.0.102 and router on 192.168.0.1




  • 2.  RE: Allow Guests access to the Internet but not other machines on the LAN

    Posted Feb 21, 2020 06:56 AM

    You can configure an Aruba ACL to deny access to your internal subnets and permit anything else. The ordering of your ACL's are key, since traffic is matched from the top rule down. 

     

    Generally, the rule at the top would be your deny to internal networks then beneath this is the permit all to allow internet access.

     

    https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Content/Instant_UG/Roles_and_policies/FirewallConf.htm



  • 3.  RE: Allow Guests access to the Internet but not other machines on the LAN

    Posted Feb 21, 2020 07:05 AM

    do you mean like:

    1. Action: "Deny" Destination: "to a network" IP: "192.168.0.0" subnet: "255.255.255.0"
    2. Action: "Allow" Destination: "to all destinations"



  • 4.  RE: Allow Guests access to the Internet but not other machines on the LAN

    Posted Feb 21, 2020 07:14 AM

    That is correct Here's an example from before.pre-auth.png

     

    If you wanted to take it further and deny clients on the same SSID/VLAN from talking to each other (e,g isolate the clients) you can configure Deny inter user bridging.

     

    https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Content/Instant_UG/WLAN_SSID_conf/ConfiguringWLANPro.htm