Controllerless Networks

Contributor I

Re: Guest client isolation



This is not an encrypted network but a compeletely open guest one with a captive portal for agreeing with usage rules.


The problem is that the government auditor is quite stubborn regarding this matter and it's very hard for me to explain to him that there's not much security risk in having ARP there. But he only fires up Fing, shows me the other clients and says it's not ok per rules.

Guru Elite

Re: Guest client isolation

I want to say that you should contact a security consultant and work with them to understand what the government wants and how to achieve it.  Even if the WLAN system isolates clients a wireless packet capture easily reveals the contents of all traffic on an open SSID.  Client isolation on an Open SSID only isolates clients from seeing each other if they are actually in range and joined to the network.  Anyone out of range can easily passively see, intercept and even change what users transmit and receive, regardless of WLAN manufacturer, on an open SSID.  There should not be any expectation of any type of security beyond SSL encryption or a VPN on an open network.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars

Re: Guest client isolation

I could not test or verify my idea but wanted to share it nevertheless. What about implementing the user isolation on the switch level? This assumes you do not use the magic guest VLAN, but a self-defined VLAN. With a self-defined VLAN, the clients are simply put into this VLAN to reach the gateway, which could be the instant master or any other gateway device. and if you enable some private VLAN stuff or port isolation. This will complete preventing devices to see each other if they are connected to different AP's. and from my understanding, Client Isolation should prevent Clients from the same AP to see each other. 

Hope this will give additional ideas to solve the issue. 



I fully agree with the others, that client isolation for an open SSID makes no sense, as you will alway be able to see all the traffic of the others, connected to the SSID. 


visit our Youtube Channel:
Please visit my personal blog as well:
Search Airheads
Showing results for 
Search instead for 
Did you mean: