Security

Hello,

I'm facing an issue with my Clearpass, so here my config :

i have a captive portal wifi ssid with clearpass which is working fine, but i want to add more secure things :

my captive portal is the same for guest and employee, (i already created an account for every employee) , and for the guest, they use a registation with sponsor confirmation which is working fine

but im a little bit worried about the same wifi ssid connection (guest and employee are connecting to the the same ssid, only difference, employee uses his account and the guest send a request for his sponsor)

is there any way to separate them to let guest just have access to the internet only ? for exemple i want to deny a guest to ping the gateway or an employee machine because they are in the same subnet ?

I know there is different role for that, but im not familiar with those config and i don't know the difference between them !

Could you please give me some tips to do that ?

Thank you in advance 

In my view, you should not use captive portal for any trusted access. Corporate devices should use strong network authentication, like WPA2/3-Enterprise, or if scale does not allow that, use a WPA2-PSK/WPA3-SAE network with a strong passphrase.

What your are asking seems to be an insecure solution in the end, so if you want to make it secure, it's probably best to work with your local Aruba partner and start creating a design that meets your security, performance and user-experience requirements.

Hello,

I'm facing an issue with my Clearpass, so here my config :

i have a captive portal wifi ssid with clearpass which is working fine, but i want to add more secure things :

my captive portal is the same for guest and employee, (i already created an account for every employee) , and for the guest, they use a registation with sponsor confirmation which is working fine

but im a little bit worried about the same wifi ssid connection (guest and employee are connecting to the the same ssid, only difference, employee uses his account and the guest send a request for his sponsor)

is there any way to separate them to let guest just have access to the internet only ? for exemple i want to deny a guest to ping the gateway or an employee machine because they are in the same subnet ?

I know there is different role for that, but im not familiar with those config and i don't know the difference between them !

Could you please give me some tips to do that ?

Thank you in advance 

Thanks for your reply,

I thought that when i made this functionnality, it was the best way to have secure network for both of them (employee and guest). I was thinking that every employee with his own credentials access wifi is more secure than using one wifi for all of employee with the same password. and we want use this system, to monitor everything with clearpass 

Now, i can creat a strong password for employee, but my question still the same, is there any way just to separate guest and employee in the same ssid ? as i said before, i dont want a succefull ping from guest machine to the employee machine

is there a policy, or role that can apply ? 

Thank you

In my view, you should not use captive portal for any trusted access. Corporate devices should use strong network authentication, like WPA2/3-Enterprise, or if scale does not allow that, use a WPA2-PSK/WPA3-SAE network with a strong passphrase.

What your are asking seems to be an insecure solution in the end, so if you want to make it secure, it's probably best to work with your local Aruba partner and start creating a design that meets your security, performance and user-experience requirements.

Hello,

I'm facing an issue with my Clearpass, so here my config :

i have a captive portal wifi ssid with clearpass which is working fine, but i want to add more secure things :

my captive portal is the same for guest and employee, (i already created an account for every employee) , and for the guest, they use a registation with sponsor confirmation which is working fine

but im a little bit worried about the same wifi ssid connection (guest and employee are connecting to the the same ssid, only difference, employee uses his account and the guest send a request for his sponsor)

is there any way to separate them to let guest just have access to the internet only ? for exemple i want to deny a guest to ping the gateway or an employee machine because they are in the same subnet ?

I know there is different role for that, but im not familiar with those config and i don't know the difference between them !

Could you please give me some tips to do that ?

Thank you in advance 

Hi

Depending on how you manage your access points you can implement MPSK and have different PSK's for employees, guests and devices and assign them to different VLAN's or different roles with ACL blocking access to internal resources for guests. But there are no good way to combine employees and guests in the same SSID especially if you would like to use different types of authentications for the two categories of users.

Having two separate SSID's is the best practice.

I fully agree with Herman that you should work with an Aruba partner or Aruba SE to find the best solution in your case.

Thanks for your reply,

I thought that when i made this functionnality, it was the best way to have secure network for both of them (employee and guest). I was thinking that every employee with his own credentials access wifi is more secure than using one wifi for all of employee with the same password. and we want use this system, to monitor everything with clearpass 

Now, i can creat a strong password for employee, but my question still the same, is there any way just to separate guest and employee in the same ssid ? as i said before, i dont want a succefull ping from guest machine to the employee machine

is there a policy, or role that can apply ? 

Thank you

In my view, you should not use captive portal for any trusted access. Corporate devices should use strong network authentication, like WPA2/3-Enterprise, or if scale does not allow that, use a WPA2-PSK/WPA3-SAE network with a strong passphrase.

What your are asking seems to be an insecure solution in the end, so if you want to make it secure, it's probably best to work with your local Aruba partner and start creating a design that meets your security, performance and user-experience requirements.

Hello,

I'm facing an issue with my Clearpass, so here my config :

i have a captive portal wifi ssid with clearpass which is working fine, but i want to add more secure things :

my captive portal is the same for guest and employee, (i already created an account for every employee) , and for the guest, they use a registation with sponsor confirmation which is working fine

but im a little bit worried about the same wifi ssid connection (guest and employee are connecting to the the same ssid, only difference, employee uses his account and the guest send a request for his sponsor)

is there any way to separate them to let guest just have access to the internet only ? for exemple i want to deny a guest to ping the gateway or an employee machine because they are in the same subnet ?

I know there is different role for that, but im not familiar with those config and i don't know the difference between them !

Could you please give me some tips to do that ?

Thank you in advance 

Thank you very much for those explanations,

I see much better the situation. I'll try to add another ssid 

Many thanks for the tips

Hi

Depending on how you manage your access points you can implement MPSK and have different PSK's for employees, guests and devices and assign them to different VLAN's or different roles with ACL blocking access to internal resources for guests. But there are no good way to combine employees and guests in the same SSID especially if you would like to use different types of authentications for the two categories of users.

Having two separate SSID's is the best practice.

I fully agree with Herman that you should work with an Aruba partner or Aruba SE to find the best solution in your case.

Thanks for your reply,

I thought that when i made this functionnality, it was the best way to have secure network for both of them (employee and guest). I was thinking that every employee with his own credentials access wifi is more secure than using one wifi for all of employee with the same password. and we want use this system, to monitor everything with clearpass 

Now, i can creat a strong password for employee, but my question still the same, is there any way just to separate guest and employee in the same ssid ? as i said before, i dont want a succefull ping from guest machine to the employee machine

is there a policy, or role that can apply ? 

Thank you

In my view, you should not use captive portal for any trusted access. Corporate devices should use strong network authentication, like WPA2/3-Enterprise, or if scale does not allow that, use a WPA2-PSK/WPA3-SAE network with a strong passphrase.

What your are asking seems to be an insecure solution in the end, so if you want to make it secure, it's probably best to work with your local Aruba partner and start creating a design that meets your security, performance and user-experience requirements.

Hello,

I'm facing an issue with my Clearpass, so here my config :

i have a captive portal wifi ssid with clearpass which is working fine, but i want to add more secure things :

my captive portal is the same for guest and employee, (i already created an account for every employee) , and for the guest, they use a registation with sponsor confirmation which is working fine

but im a little bit worried about the same wifi ssid connection (guest and employee are connecting to the the same ssid, only difference, employee uses his account and the guest send a request for his sponsor)

is there any way to separate them to let guest just have access to the internet only ? for exemple i want to deny a guest to ping the gateway or an employee machine because they are in the same subnet ?

I know there is different role for that, but im not familiar with those config and i don't know the difference between them !

Could you please give me some tips to do that ?

Thank you in advance 

I have an other question please :
When i create accounts for employees, they need to type theirs username&password  every time
is there any way that the captive portal wifi save it, and for exemple, if an employee needs to connect an other time, he doesn't need to type again username&password ? i need this with captive portal, i know i can do this with normal wifi ssid but i want to do this with captive portal

Thank you

Thank you very much for those explanations,

I see much better the situation. I'll try to add another ssid 

Many thanks for the tips

Hi

Depending on how you manage your access points you can implement MPSK and have different PSK's for employees, guests and devices and assign them to different VLAN's or different roles with ACL blocking access to internal resources for guests. But there are no good way to combine employees and guests in the same SSID especially if you would like to use different types of authentications for the two categories of users.

Having two separate SSID's is the best practice.

I fully agree with Herman that you should work with an Aruba partner or Aruba SE to find the best solution in your case.

Thanks for your reply,

I thought that when i made this functionnality, it was the best way to have secure network for both of them (employee and guest). I was thinking that every employee with his own credentials access wifi is more secure than using one wifi for all of employee with the same password. and we want use this system, to monitor everything with clearpass 

Now, i can creat a strong password for employee, but my question still the same, is there any way just to separate guest and employee in the same ssid ? as i said before, i dont want a succefull ping from guest machine to the employee machine

is there a policy, or role that can apply ? 

Thank you

In my view, you should not use captive portal for any trusted access. Corporate devices should use strong network authentication, like WPA2/3-Enterprise, or if scale does not allow that, use a WPA2-PSK/WPA3-SAE network with a strong passphrase.

What your are asking seems to be an insecure solution in the end, so if you want to make it secure, it's probably best to work with your local Aruba partner and start creating a design that meets your security, performance and user-experience requirements.

Hello,

I'm facing an issue with my Clearpass, so here my config :

i have a captive portal wifi ssid with clearpass which is working fine, but i want to add more secure things :

my captive portal is the same for guest and employee, (i already created an account for every employee) , and for the guest, they use a registation with sponsor confirmation which is working fine

but im a little bit worried about the same wifi ssid connection (guest and employee are connecting to the the same ssid, only difference, employee uses his account and the guest send a request for his sponsor)

is there any way to separate them to let guest just have access to the internet only ? for exemple i want to deny a guest to ping the gateway or an employee machine because they are in the same subnet ?

I know there is different role for that, but im not familiar with those config and i don't know the difference between them !

Could you please give me some tips to do that ?

Thank you in advance