My customer’s requirements for a lightly managed PSK network for residents mean they are looking to allow L2/L3 traffic between a set of registered-ownership devices (registered in CP:Guest), but not allow other users to communicate with it. This is for security reasons and for passing a pen test. I can think of a few ways to accomplish this:
1. Create a VLAN/subnet for each user, and plop all of their devices into the same VLAN. ACLs written to allow only a little traffic within their subnet, somehow, and the internet.. Not very scalable for this environment. They will have hundreds of unique users, and changing.
2. Create downloadable user roles (DUR) from ClearPass that creates the user-role identifying the user. Then also pass back rules that allow the right traffic between those same-user roles, and deny the rest to the same subnet. I can see this handling L3, but not L2. I’m not 100% on the scalability of this, nor if the ACLs can be written this way - I will lab it this morning. The DUR writing could also get a little hairy.
What I can’t do:
3. Turn on deny-inter-user-traffic : they need and use AirGroups on the same network. AirGroup works for the discoverability part, but not a malicious actor trying to compromise devices.
Thoughts? Best practices?