Security

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

Nothing until you specify the role in an enforcement profile.  These are just default roles you can create your own roles as you need.

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

Thank you very much for the reply.

Which kind of enforcement do i need to set i want guest have access to only internet and they will ca not ping employee machine for exemple and the vc ?

Thank you 

Nothing until you specify the role in an enforcement profile.  These are just default roles you can create your own roles as you need.

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

Hi

The best would be to place the guests on a separate VLAN and control the traffic from that VLAN. The VLAN should be firewalled and block all access to internal resources and only allow access to the Internet. This guest VLAN should also utilize external DNS servers, not the internal once.

Also guests and employees should not be the same SSID. I suppose you are using IAP access points as you refer to VC and with this there is also an option to let the guest SSID utilize the NAD function in the VC and place the guests on a virtual VLAN. Create firewall rules in the role assigned to this VLAN to block access to internal resources.

There are a lot of if's and but's to consider during the design of the network and configuration of ClearPass. Consult a local Aruba partner to get the best options in your case.

Thank you very much for the reply.

Which kind of enforcement do i need to set i want guest have access to only internet and they will ca not ping employee machine for exemple and the vc ?

Thank you 

Nothing until you specify the role in an enforcement profile.  These are just default roles you can create your own roles as you need.

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

Hi

The best would be to place the guests on a separate VLAN and control the traffic from that VLAN. The VLAN should be firewalled and block all access to internal resources and only allow access to the Internet. This guest VLAN should also utilize external DNS servers, not the internal once.

Also guests and employees should not be the same SSID. I suppose you are using IAP access points as you refer to VC and with this there is also an option to let the guest SSID utilize the NAD function in the VC and place the guests on a virtual VLAN. Create firewall rules in the role assigned to this VLAN to block access to internal resources.

There are a lot of if's and but's to consider during the design of the network and configuration of ClearPass. Consult a local Aruba partner to get the best options in your case.

Thank you very much for the reply.

Which kind of enforcement do i need to set i want guest have access to only internet and they will ca not ping employee machine for exemple and the vc ?

Thank you 

Nothing until you specify the role in an enforcement profile.  These are just default roles you can create your own roles as you need.

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

Jonas, 

When you saying create VLAN, do i need create Vlan on the VC or on the Clearpass ? 

Hi

The best would be to place the guests on a separate VLAN and control the traffic from that VLAN. The VLAN should be firewalled and block all access to internal resources and only allow access to the Internet. This guest VLAN should also utilize external DNS servers, not the internal once.

Also guests and employees should not be the same SSID. I suppose you are using IAP access points as you refer to VC and with this there is also an option to let the guest SSID utilize the NAD function in the VC and place the guests on a virtual VLAN. Create firewall rules in the role assigned to this VLAN to block access to internal resources.

There are a lot of if's and but's to consider during the design of the network and configuration of ClearPass. Consult a local Aruba partner to get the best options in your case.

Thank you very much for the reply.

Which kind of enforcement do i need to set i want guest have access to only internet and they will ca not ping employee machine for exemple and the vc ?

Thank you 

Nothing until you specify the role in an enforcement profile.  These are just default roles you can create your own roles as you need.

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

Hi

The VLAN must be added in the VC, and of course also in the wired infrastructure.

Can you explain your goal with just having one SSID and why you don't want to add a second SSID? What is the problem you try to solve with just one SSID? The idea to have the same SSID for both guests and employees are very unconventional, against best practice. For employees it will be a less secure and possible also annoying solution with manual authentications if you have a captive portal as discussed in your other thread.

Please also describe other aspects of your network, like the size and if you have a need for employees to access local resources.

Jonas, 

When you saying create VLAN, do i need create Vlan on the VC or on the Clearpass ? 

Hi

The best would be to place the guests on a separate VLAN and control the traffic from that VLAN. The VLAN should be firewalled and block all access to internal resources and only allow access to the Internet. This guest VLAN should also utilize external DNS servers, not the internal once.

Also guests and employees should not be the same SSID. I suppose you are using IAP access points as you refer to VC and with this there is also an option to let the guest SSID utilize the NAD function in the VC and place the guests on a virtual VLAN. Create firewall rules in the role assigned to this VLAN to block access to internal resources.

There are a lot of if's and but's to consider during the design of the network and configuration of ClearPass. Consult a local Aruba partner to get the best options in your case.

Thank you very much for the reply.

Which kind of enforcement do i need to set i want guest have access to only internet and they will ca not ping employee machine for exemple and the vc ?

Thank you 

Nothing until you specify the role in an enforcement profile.  These are just default roles you can create your own roles as you need.

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

So my goal is :

Employees needs to access to the wifi by their credentials oncaptive portal  (everyone will have his own password&username) and if possible to connect everyday with this SSID but without typing their credentials (i think yoiu said before it was mac caching or something like that ) 

for guest, i want access via captive portal  with sending request to sponsor ( i already done that ) but i want give them access only for internet, till now guest and employee have the same access. i want just separate them from the employee machine (deny ssh, icmp...etc fro the guest )  

i thought it's better to have everyone on the same ssid and separate them by policies or roles thats what i want 

The reason that i dont want an other ssid, is that we have already many (we have wifi for formations its active by period) and another one for special machine which they can not connect with normal captive portal (very secure and many restrictions )

Hi

The VLAN must be added in the VC, and of course also in the wired infrastructure.

Can you explain your goal with just having one SSID and why you don't want to add a second SSID? What is the problem you try to solve with just one SSID? The idea to have the same SSID for both guests and employees are very unconventional, against best practice. For employees it will be a less secure and possible also annoying solution with manual authentications if you have a captive portal as discussed in your other thread.

Please also describe other aspects of your network, like the size and if you have a need for employees to access local resources.

Jonas, 

When you saying create VLAN, do i need create Vlan on the VC or on the Clearpass ? 

Hi

The best would be to place the guests on a separate VLAN and control the traffic from that VLAN. The VLAN should be firewalled and block all access to internal resources and only allow access to the Internet. This guest VLAN should also utilize external DNS servers, not the internal once.

Also guests and employees should not be the same SSID. I suppose you are using IAP access points as you refer to VC and with this there is also an option to let the guest SSID utilize the NAD function in the VC and place the guests on a virtual VLAN. Create firewall rules in the role assigned to this VLAN to block access to internal resources.

There are a lot of if's and but's to consider during the design of the network and configuration of ClearPass. Consult a local Aruba partner to get the best options in your case.

Thank you very much for the reply.

Which kind of enforcement do i need to set i want guest have access to only internet and they will ca not ping employee machine for exemple and the vc ?

Thank you 

Nothing until you specify the role in an enforcement profile.  These are just default roles you can create your own roles as you need.

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much

I think it would be good to discuss this with your Aruba partner, as it's hard to take everything into consideration in a forum, and I would regret if you build the wrong solution or make a wrong decision based on what you got from a forum like the Airheads community.

Separating the access by roles is not the problem. That works, and is a great method to control where users have access to (like guests, employees, contractors, IoT devices, etc); and you could combine that with VLANs to get another layer of security if you can make routing between the guest VLAN and corporate networks impossible by VRF, PBR and/or firewalls.

The fundamental problem with captive portals is that these work based on the client MAC address, and MAC addresses are very easy to spoof. If you have employees authenticated on the same network as guests, it's easy for an attacker to change their MAC address to one of an authorized client, then use the authorization to gain access to applications or parts of the network, where they are not supposed to have access to. For employees, the 'golden standard' is to use 802.1X (WPA2/3-Enterprise), which links the authentication to encryption, and avoids the risk of mac spoofing.

As you have not shared everything on your network, it's hard to point you in the right direction, except what you propose (use of captive portal on the same SSID for guest and internal/employee access) sounds like a bad idea if you care about the security of your network. But there may be situations where you can do it, for example if the access is the same but different speed limits are applied; like in a hotel where you have standard access with low bandwidth and certain applications, and premium access with high bandwidth and full internet access. Then worse-case people get what they are not entitled to, but there is no access to internal applications that form a risk.

So, yes you can build this, but you probably shouldn't.

Working with a specialist may get you an optimal design, taking into account all information.

So my goal is :

Employees needs to access to the wifi by their credentials oncaptive portal  (everyone will have his own password&username) and if possible to connect everyday with this SSID but without typing their credentials (i think yoiu said before it was mac caching or something like that ) 

for guest, i want access via captive portal  with sending request to sponsor ( i already done that ) but i want give them access only for internet, till now guest and employee have the same access. i want just separate them from the employee machine (deny ssh, icmp...etc fro the guest )  

i thought it's better to have everyone on the same ssid and separate them by policies or roles thats what i want 

The reason that i dont want an other ssid, is that we have already many (we have wifi for formations its active by period) and another one for special machine which they can not connect with normal captive portal (very secure and many restrictions )

Hi

The VLAN must be added in the VC, and of course also in the wired infrastructure.

Can you explain your goal with just having one SSID and why you don't want to add a second SSID? What is the problem you try to solve with just one SSID? The idea to have the same SSID for both guests and employees are very unconventional, against best practice. For employees it will be a less secure and possible also annoying solution with manual authentications if you have a captive portal as discussed in your other thread.

Please also describe other aspects of your network, like the size and if you have a need for employees to access local resources.

Jonas, 

When you saying create VLAN, do i need create Vlan on the VC or on the Clearpass ? 

Hi

The best would be to place the guests on a separate VLAN and control the traffic from that VLAN. The VLAN should be firewalled and block all access to internal resources and only allow access to the Internet. This guest VLAN should also utilize external DNS servers, not the internal once.

Also guests and employees should not be the same SSID. I suppose you are using IAP access points as you refer to VC and with this there is also an option to let the guest SSID utilize the NAD function in the VC and place the guests on a virtual VLAN. Create firewall rules in the role assigned to this VLAN to block access to internal resources.

There are a lot of if's and but's to consider during the design of the network and configuration of ClearPass. Consult a local Aruba partner to get the best options in your case.

Thank you very much for the reply.

Which kind of enforcement do i need to set i want guest have access to only internet and they will ca not ping employee machine for exemple and the vc ?

Thank you 

Nothing until you specify the role in an enforcement profile.  These are just default roles you can create your own roles as you need.

Hi everyone,

I was wondering what's the difference between those roles (employee, guest and contractor] ? is in terms of access ? a guest has an access for what exactlly ? the same for employee ? I done many testsbut i can't find what the main difference between thoses roles 

Thank you very much