Controllerless Networks

Occasional Contributor I

IAP Guest WiFi - Tell me why I'm wrong

Hi all,


So I'm in the process of setting up an IAP WiFi network to deal with corporate WiFi access on SSID1 and guest WiFi on SSID2. I've had no end of issues getting the guest WiFi side of this working, and I've tried virtually every solution I can find with no luck


The issue: Guest WiFi connects fine but after a few seconds I get "No Internet Connection" seemingly because of a DNS probe fail


After playing around and not being able to find out where everything's going wrong I've gone with the following solution:


Local L2 DHCP Scope on the IAP linked to the guest SSID (VCM)

Network based access rules to ALLOW DHCP, DNS, HTTP/S, SMTP to all destinations

No deny rules


This seems to give me exactly what I want. I have a guest WiFi that gives me internet and email access, but doesn't let me ping or RDP to any network devices, no access to network shares etc. But my question is, am I actually getting what I'm seeing? Is there a way someone can still access the corporate network from the guest WiFi that I'm not aware of? Is there any reason for me to explicitly deny access to corporate network subnets if I only have allow specified for certain services?


So far every time I've tried to include deny rules something breaks the guest WiFi along the way and I just can't find it, so if this setup is secure then I'm not too fussed about tearing the rest of my hair out

Guru Elite

Re: IAP Guest WiFi - Tell me why I'm wrong

There is an implicit deny all at the end for your rules, so if it is not allowed, it is denied. Add a rule to allow everything at the end .

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: IAP Guest WiFi - Tell me why I'm wrong

Excellent, thanks for that 


Based off of that I'm going to assume that what I want is working then if there are implicit denies for everything else. I just want users on the guest WiFi to have the ability to browse internet and use email whilst having no access to our corporate network. Sounds like that's what I have :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: