Controllerless Networks

Hello,

I'm a bit stumped regarding the client isolation in Aruba Instant wireless network.

Basically to follow government relations for public WIFI and for obvious security reasons I need to make all the clients connecting to the same SSID invisible to each other.

I have enabled Deny Inter User Bridging and Routing options under System and in SSID settings, and ARP broadcast filtering but I'm still unable to stop clients browsing the same subnet and seeing every other ip connected.

What I'm missing? On other vendors there's usually a simple option like "AP Isolation" or similar that would stop clients on the same SSID seeing each other.

Do I also need to create an Access Control Rule to disable all the traffic to same subnet (except gateway IP)? Seems like a crude option.

What tools are you using to discover other clients?

Hello,

For example I'm still able to do a ping sweep in the subnet and discover all the IP-s and mac addresses and identify devices from the latter. I'm sure I'm missing something elementary setting on the Instant OS.

best regards

Deny inter user bridging only works to block traffic between users on your Instant Cluster.  You would still be able to discover clients on the same subnet if they are wired or they were in another cluster.  You would need an ACL to block traffic to/from the same subnet for clients that are not users in your instant cluster.

If you specifically want to block arps, it is all or nothing (all ARPs including for the default gateway will be blocked).  You can use the ACL example below:

As there should be no communication between the clients in the guest subnet I guess I can block everything except traffic to the gateway IP.

Would this kind of rule be ok? Or would it be better to make two rules: allow all to gateway IP followed by a block all rule to subnet?

You can block all traffic to the subnet.  Nothing from an ip perspective is actually sent with a destination of the default gateway.

Unfortunately I'm still not able to get it working properly.

Blocking all ARP will indeed accomplish the desired effect and other clients are no longer discovered. But this also completely kills off any connectivity to any other places.

Blocking all traffic to the subnet will also kill off any connectivity as the clients wont be able to get IP from the gateway which also serves DHCP and Captive Portal. Allowing traffic only to gateway IP on the other hand also makes all the other clients discoverable on the subnet.

I'm out of ideas :(

I guess, you have created the rule from above. If you block anything, you also block dhcp/dns. You have to create a rule, which allows at least DHCP/DNS to let you clients be able to get an IP and lookup dns names. 

It seems that the only solution would be to drop all arp packets except to default gateway, which currently can't be done.

This does generate trouble for us as the government auditors are not happy when other devices are seen on public vlan, even when there's no other traffic allowed between them.

Maybe this option could be added in a future firmware.

Is this wlan encrypted?  If it is a public WLAN and it is unencrypted, it is pretty easy to see any traffic going anywhere in the air.  Clients can contact each other directly and user isolation will not help.

Hello,

This is not an encrypted network but a compeletely open guest one with a captive portal for agreeing with usage rules.

The problem is that the government auditor is quite stubborn regarding this matter and it's very hard for me to explain to him that there's not much security risk in having ARP there. But he only fires up Fing, shows me the other clients and says it's not ok per rules.

I want to say that you should contact a security consultant and work with them to understand what the government wants and how to achieve it.  Even if the WLAN system isolates clients a wireless packet capture easily reveals the contents of all traffic on an open SSID.  Client isolation on an Open SSID only isolates clients from seeing each other if they are actually in range and joined to the network.  Anyone out of range can easily passively see, intercept and even change what users transmit and receive, regardless of WLAN manufacturer, on an open SSID.  There should not be any expectation of any type of security beyond SSL encryption or a VPN on an open network.

I could not test or verify my idea but wanted to share it nevertheless. What about implementing the user isolation on the switch level? This assumes you do not use the magic guest VLAN, but a self-defined VLAN. With a self-defined VLAN, the clients are simply put into this VLAN to reach the gateway, which could be the instant master or any other gateway device. and if you enable some private VLAN stuff or port isolation. This will complete preventing devices to see each other if they are connected to different AP's. and from my understanding, Client Isolation should prevent Clients from the same AP to see each other. 

Hope this will give additional ideas to solve the issue. 

***UPDATE***

I fully agree with the others, that client isolation for an open SSID makes no sense, as you will alway be able to see all the traffic of the others, connected to the SSID.