Controllerless Networks

 View Only
last person joined: 13 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Limit client distance from AP?

This thread has been viewed 18 times
  • 1.  Limit client distance from AP?

    Posted Jun 17, 2022 07:58 PM
    Hi,

    I have a few dozen 7005 controllers with about 150 AP105/205s. My boss says the security department of our offices wants to limit the access clients to our APs, which can reach outside of many buildings.

    He wants there to be a hard "x-feet", let's say 10-20 feet, where a client can't connect to the APs. Most sites have 2 APs, while some have 12 or more.

    I've told them we could use an Ekahau sidekick to scan and set each AP for x-dBm from the APs, so that the edge of the usable zone is at the inside walls. But that's a lot of work, and would require different settings for each AP. We could also start at a very low power level, and make have people tell me when they can't connect, so add some power here and there. Plus, someone with a 24+dB antenna could seem "inside" as the signal is "louder". 

    Isn't there a way to set a variable on the APs to say that receiving association frames from clients that are further than x nano-seconds away? I'm not adverse to adding a monitor-only AP, though in some sites with multiple APs they're spread out in several building.

    I opened a ticket with TAC and short of tuning off client match, reducing power, etc. there's no way to do this.

    Any thoughts would be helpful!

    Regards,




    ------------------------------
    Ambidexter
    ------------------------------


  • 2.  RE: Limit client distance from AP?

    EMPLOYEE
    Posted Jun 17, 2022 10:05 PM
    There is no way to do this by limiting power.  Reducing power is not an adequate security measure, because an attacker can always use something to amplify a weak signal and still hack.  Also due to the fact that wifi signals bounce and propagate off of some materials means you will always be leaking something.  Turning down the power will possibly hurt the performance of your existing clients, create coverage holes and make you have to spend more to cover your existing spaces. Modern-day security like EAP-TLS, a strong integrated firewall are the best measures for this.

    I encourage you (and your security team) to take a look at the latest ArubaOS hardening guide on asp.arubanetworks.com for ideas.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Limit client distance from AP?

    Posted Jun 18, 2022 01:32 PM
    Hello, 

    you can reduce number of far away users, but consider that you might have that kind of  users inside your building also, not only outside of building. if you set OFDM-only rates, or set minimum RSSI value, you will reject all long distance clients. unfortunaletty this might couse some problems for internal users and you might needd to add or relocate some APs closer to that user area.

    turning power down is not good idea, it wil not give you any results. 

    you better work with sybersec folks and explain how wifi works :) for corporate users implement most secure WLAN , for example eap-tls.


  • 4.  RE: Limit client distance from AP?

    MVP EXPERT
    Posted Jun 20, 2022 04:51 PM
    Hi Ambidexter,

    I don't think this is the right way to make the WiFi network more secure.

    You'd be better off investing time in use a secure authentication method like certificate based authentication (eap-tls) via an authentication server like Aruba ClearPass.

    As an extra measure, you could only broadcast the SSID networks during office hours.

    Please note that the AP-105 are end-of-support since august 2020. May i ask why you use 7005 controllers (which can handle 16 access points) while you have 150 access points. Maybe you can modernize your environment with newer model acccess points managend by the Aruba Central cloud (with or without controllers).

    Hope this helps you.

    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------