I think i don't have an other choise, i need to set up another ssid and separate the guest from the employees one.
Original Message:
Sent: Jul 17, 2024 07:07 AM
From: Herman Robers
Subject: Clearpass Role [ Employee, guest, Contractor]
I think it would be good to discuss this with your Aruba partner, as it's hard to take everything into consideration in a forum, and I would regret if you build the wrong solution or make a wrong decision based on what you got from a forum like the Airheads community.
Separating the access by roles is not the problem. That works, and is a great method to control where users have access to (like guests, employees, contractors, IoT devices, etc); and you could combine that with VLANs to get another layer of security if you can make routing between the guest VLAN and corporate networks impossible by VRF, PBR and/or firewalls.
The fundamental problem with captive portals is that these work based on the client MAC address, and MAC addresses are very easy to spoof. If you have employees authenticated on the same network as guests, it's easy for an attacker to change their MAC address to one of an authorized client, then use the authorization to gain access to applications or parts of the network, where they are not supposed to have access to. For employees, the 'golden standard' is to use 802.1X (WPA2/3-Enterprise), which links the authentication to encryption, and avoids the risk of mac spoofing.
As you have not shared everything on your network, it's hard to point you in the right direction, except what you propose (use of captive portal on the same SSID for guest and internal/employee access) sounds like a bad idea if you care about the security of your network. But there may be situations where you can do it, for example if the access is the same but different speed limits are applied; like in a hotel where you have standard access with low bandwidth and certain applications, and premium access with high bandwidth and full internet access. Then worse-case people get what they are not entitled to, but there is no access to internal applications that form a risk.
So, yes you can build this, but you probably shouldn't.
Working with a specialist may get you an optimal design, taking into account all information.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 16, 2024 10:48 AM
From: ali.amokrane
Subject: Clearpass Role [ Employee, guest, Contractor]
So my goal is :
Employees needs to access to the wifi by their credentials oncaptive portal (everyone will have his own password&username) and if possible to connect everyday with this SSID but without typing their credentials (i think yoiu said before it was mac caching or something like that )
for guest, i want access via captive portal with sending request to sponsor ( i already done that ) but i want give them access only for internet, till now guest and employee have the same access. i want just separate them from the employee machine (deny ssh, icmp...etc fro the guest )
i thought it's better to have everyone on the same ssid and separate them by policies or roles thats what i want
The reason that i dont want an other ssid, is that we have already many (we have wifi for formations its active by period) and another one for special machine which they can not connect with normal captive portal (very secure and many restrictions )
Original Message:
Sent: Jul 16, 2024 08:53 AM
From: jonas.hammarback
Subject: Clearpass Role [ Employee, guest, Contractor]
Hi
The VLAN must be added in the VC, and of course also in the wired infrastructure.
Can you explain your goal with just having one SSID and why you don't want to add a second SSID? What is the problem you try to solve with just one SSID? The idea to have the same SSID for both guests and employees are very unconventional, against best practice. For employees it will be a less secure and possible also annoying solution with manual authentications if you have a captive portal as discussed in your other thread.
Please also describe other aspects of your network, like the size and if you have a need for employees to access local resources.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 16, 2024 08:32 AM
From: ali.amokrane
Subject: Clearpass Role [ Employee, guest, Contractor]
Jonas,
When you saying create VLAN, do i need create Vlan on the VC or on the Clearpass ?
Original Message:
Sent: Jul 16, 2024 06:11 AM
From: jonas.hammarback
Subject: Clearpass Role [ Employee, guest, Contractor]
Hi
The best would be to place the guests on a separate VLAN and control the traffic from that VLAN. The VLAN should be firewalled and block all access to internal resources and only allow access to the Internet. This guest VLAN should also utilize external DNS servers, not the internal once.
Also guests and employees should not be the same SSID. I suppose you are using IAP access points as you refer to VC and with this there is also an option to let the guest SSID utilize the NAD function in the VC and place the guests on a virtual VLAN. Create firewall rules in the role assigned to this VLAN to block access to internal resources.
There are a lot of if's and but's to consider during the design of the network and configuration of ClearPass. Consult a local Aruba partner to get the best options in your case.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 16, 2024 05:31 AM
From: ali.amokrane
Subject: Clearpass Role [ Employee, guest, Contractor]
Thank you very much for the reply.
Which kind of enforcement do i need to set i want guest have access to only internet and they will ca not ping employee machine for exemple and the vc ?
Thank you
Original Message:
Sent: Jul 15, 2024 01:59 PM
From: ahollifield
Subject: Clearpass Role [ Employee, guest, Contractor]
Nothing until you specify the role in an enforcement profile. These are just default roles you can create your own roles as you need.
Original Message:
Sent: Jul 15, 2024 11:12 AM
From: ali.amokrane
Subject: Clearpass Role [ Employee, guest, Contractor]
Hi everyone,
I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles
Thank you very much