Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Best Practice for Wireless Guest with Clearpass

  • 1.  Best Practice for Wireless Guest with Clearpass

    Posted Jul 22, 2020 11:28 AM

    Considering  Wifi network with Aruba controller 8.x and Clearpass.

    How do we seperate Guest network completely from corporate LAN including separate DHCP and DNS  for guest users  (using captive portal) . What is the  recommendation ?

     

    Is there any reference VRD or document  on this , Kindly advise.



  • 2.  RE: Best Practice for Wireless Guest with Clearpass

    Posted Jul 22, 2020 01:20 PM

    Please see this VRD for guest. All of the concepts are the same (roles, acls, vlans, etc...) but may be located somewhere else in the GUI for AOSv8: https://community.arubanetworks.com/aruba/attachments/aruba/Aruba-VRDs/157/3/Guest%20Access%20with%20ArubaOS.pdf

     

    You can assign all of the guest roles to a separate vlan on the same trunk link, or spin up a separate interface terminating to a firewall. In that vlan, you can assign the DHCP addresses from an upstream L3 device (recommended), or locally on the controller vlan interface.

     

     



  • 3.  RE: Best Practice for Wireless Guest with Clearpass

    Posted Jul 23, 2020 12:11 AM

    Thanks , any recommendations on ( internal or public) DNS  and captive portal   ?



  • 4.  RE: Best Practice for Wireless Guest with Clearpass

    Posted Jul 23, 2020 07:56 AM

    I can tell you from my experience, most organizations just allow DNS to their internal DNS servers, or a few of them, and either use internal captive portal in the controller, or clearpass/ise for external. Depends on what kind of guest experience you want for your users. For most, the guest user VLAN/Subnet is always off of a firewall in a DMZ or external zone.

     

     



  • 5.  RE: Best Practice for Wireless Guest with Clearpass

    Posted Jul 23, 2020 11:37 AM
    You can use external DNS and configure your firewall to do DNS proxy (if it supports it)

    Another option is to make your guest page reachable publicly and place some restrictions on your firewall on who can reach it publicly via HTTPS/HTTP



    Sent from Mail for Windows 10