Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Different VLANs&Groups on internal DB

Jump to Best Answer
  • 1.  Different VLANs&Groups on internal DB

    Posted Jan 18, 2015 12:20 PM

    Hi Everybody, 

    I've got a couple of 7210 controllers and a bulk of IAP103 + AirWave 8.x.

    What does my customer want:

    - SSID1. For guest and service stuff. MAC + PSK authorization at internal DB. No access to internal resources and some badwith limits.  

    - SSID2. For employers. MAC  + PSK authorization at internal DB. Without bandwith limits but with content filtering.

    - SSID3. For management. MAC + PSK authorization at internal DB. No limits&filtering 

    1. Users should not be able to connect to "wrong" SSID, e.g. guest from SSID1 should not be able to connect to SSID3. 

    2. "Wrong" users (without registered MACs) should not be able to get in even having PSK

    3. All traffic shaping and content filtering tasks will be performed on Cisco ASA+FireSight.   

    4. I have no outside RADIUS/TACACS/LDAP/AD server and PEFNG license:(

     

     

    Is there any solution to do like that? 

    My idea is to use different MAC authentification profiles with different delimiters. Thus, I will (I hope:)) have 3 virtually "different" MAC bases in internal DB and will be able to set up different User Derivation Rules based on MAC for different SSIDs.  

    I'd like to know will it work?

    Is there some "stright" and documented way or any good ideas to try?

     

    Thank a lot in advance!

     

    BR

    Alex 

     

     

     


    #7210


  • 2.  RE: Different VLANs&Groups on internal DB
    Best Answer

    Posted Jan 18, 2015 02:16 PM
    This will work but will not scale well. You'll have to sync the internal database via AirWave and you run the risk of maxing out the internal database. 

    A available solution would be ClearPass and PEFNG. 


  • 3.  RE: Different VLANs&Groups on internal DB

    Posted Jan 18, 2015 11:46 PM

    Thank you for your help and fast reply!

    What is the maximum capacity of Internal DB? I will have up to 1000 users. Will it be enough to work as temporary solution (untill PEFNG and RADIUS will be installed)?

     

    BR

    Alex



  • 4.  RE: Different VLANs&Groups on internal DB

    Posted Jan 19, 2015 09:45 AM

    8,192 entries



  • 5.  RE: Different VLANs&Groups on internal DB
    Best Answer

    Posted Jan 18, 2015 02:29 PM
    I would look into using 802.1x (NPS if they can't afford clear pass) and has role derivation to get them in the right VLANs and institute filtering to the proper users. Then you can cut the management overhead of one SSID out of the mix. Most people try to keep it down to 2 SSIDs when possibly and I always strongly urge my customers and explain the implications of more SSIDs and the performance hits they incur with each additional one.