Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Roles by MAC?

This thread has been viewed 3 times

  • 1.  Roles by MAC?

    Posted Sep 21, 2013 09:37 AM

    Hi all!

    This is my first time to setup both Aruba and Instant :)

    Need some help with authentication.

     

    I have a 2 IAP-93 running Instant 6.2.1.0-3.4.0.0_39086.

    AP1: 192.168.7.2

    AP2: 192.168.7.3

    Instant controller:192168.7.4

    DHCP, gateway:192.168.7.1

    Users: 192.168.7.(5-254)

     

     

    I need to split VIP users and employers:

    VIPs must have unrestricted access.

    Employers must have blocked URLs required (youtube, facebook, etc)

    All users must see single SSID on their devices.

    It must be no any portals or splash pages for all users - just find the appropriate SSID and enter password .

     

    I found some info on community, but still have questions.

     

    If I create a guest SSID with internal auth server with MAC based auth, how do I avoid auth portal? How do I create different roles and rules for authenticated by MAC VIP users and not complaint to VIP MACs users? According to blocking urls for not VIPs.?

     

    Thanks a lot!

    I have time until monday to solve it:(

     



  • 2.  RE: Roles by MAC?

    EMPLOYEE
    Posted Sep 21, 2013 12:04 PM

    Authentication via MAC address is not very secure, since MAC address can easily be spoofed. Add to that, MAC auth uses the MAC for both the username and password, so there's really no good way to secure it that way.

     

    For employees (VIP and regular), you could leverage user based security and still leverage the internal auth server built into Instant if needed. Optionally, you can instead use Active Directory or some external RADIUS server to authenticate employees, if you already have a directory server somewhere.

     

    For guests, usually the open SSID with captive portal (whether or not you challenge for password or username) is the easiest, as you don't require any special configuration on the guest's computer to connect. MAC auth is not ideal here, because the guest would have to provide you with their MAC address so that you can manually add them into the authentication server, and it still doesn't stop the bad guy from spoofing a valid guest MAC. I've seen some guest networks use a Pre-Shared Key just for the Guest SSID (so using two SSIDs; one for guest and one for employees) and rotate that PSK at some interval if they wanted to secure the guest network without captive portal.

     

    Does that help spark some ideas? Post any questions and we can get into more detail.



  • 3.  RE: Roles by MAC?

    Posted Sep 21, 2013 02:03 PM

    cclemmer, thx a lot!

     

    Sorry,i didn't write about that in previous post...I use wpa2-psk

    The client who wants this wifi project wants only a single SSID and single password for wifi-  doesnt want 2 SSIDs and doesn't want any login/passwords to enter every time he opens his laptop... Thus i need to solve, how to split his employers and VIPs  without of all this...

     

    I found a  mac-address attribute in the rules for assigning roles, but the user guide says:

    "IAP uses the OUI part of a MAC

    address to identify the device manufacturer and assigns a desired role for users who have completed 802.1X
    authentication and MAC authentication. "

    What  if i use the role deriviation by mac-address attribute, and VIP has xx:xx:xx:xx:12:34:56:78 and non-VIP has xx:xx:xx:xx:12:34:56:79? The result will be the same role for both of them? 

     

     

    Is it possible to enable wpa2-ent, 802.1x with 2 types of certificates - one for VIP and another for non-VIP users? Is it possible to assign roles by this certs?

     

    Finally, is it possibleto enable keyword URL blocking for different roles? I found only default types of access control rules - the only suitable way is IP blocking  . Thus if i need to block youtube, i need to do nslookup youtube.com and add every ip as blocked? The result will be dubious.



  • 4.  RE: Roles by MAC?

    Posted Sep 21, 2013 05:09 PM

    Just throwing a couple of things out there though they do not meet your needs..

     

    We do have a partnership with OpenDNS for content filtering for the IAP; however, filtering is enabled on a per SSID basis.  As such, with your requirement of a single SSID, unfortunately, this is not a workable solution.

     

    We can do vlan derivation based on Radius attribute; however, that would require 802.1x auth rather than a PSK.  If you could go this route the two different classes of users could get dumped into separate vlans then you would police the traffic upstream.  The same could be done with MAC auth on the Radius server and have the server return a "filter-ID" and you can key off the filter-ID to assign a role which ties the user to different firewall policies..........which as you noted may not meet your needs.



  • 5.  RE: Roles by MAC?

    Posted Sep 22, 2013 12:38 PM

    Marcus, thanks a lot!

     

    I think, this task is unreachable..

     

    I'll try to do smth with client's needs... :(



  • 6.  RE: Roles by MAC?
    Best Answer

    Posted Nov 15, 2013 02:55 PM

    Solved by creating 2 SSIDs - one wpa2-psk-aes for employers and one wpa2-psk-aes for VIPs with hidden ssid.

    This solution satisfied my customer.

    Thanks a lot for help!