Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Aruba Guest Access For Cisco (or any other) WLAN?

This thread has been viewed 3 times

  • 1.  Aruba Guest Access For Cisco (or any other) WLAN?

    Posted Jun 27, 2014 11:42 AM

    Please don't be toocruel... and "switch to Aruba!" really won't help me :) And there is ZERO interest in social Wi-Fi here.

     

    I run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following:

     

    - Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number

    - Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them

    - We control data rate, session durations, firewall rules etc in the Bluesocket for guests

    - When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket

     

    This all works great, and is what works for us. I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. Amigopod had me intrigued at one point, but not sure how the Aruba integration may have changed it.

     

    So my question is this: is anything in the Aruba line a potential single-box guest acess portal apliance for non-Aruba networks, as described above?

     

    Thanks,

     

    Lee Badman

     

     



  • 2.  RE: Aruba Guest Access For Cisco (or any other) WLAN?

    EMPLOYEE
    Posted Jun 27, 2014 12:03 PM

    Take a look at the Clearpass solution, http://www.arubanetworks.com/products/clearpass/

     

    It is very feature rich and will probably meet all of your needs and more.  It integrates with Cisco and many other vendors.

     

     



  • 3.  RE: Aruba Guest Access For Cisco (or any other) WLAN?

    EMPLOYEE
    Posted Jun 27, 2014 12:05 PM
    ClearPass guest will do everything you are asking.


  • 4.  RE: Aruba Guest Access For Cisco (or any other) WLAN?

    Posted Jun 27, 2014 01:06 PM

    I assumed it would- thanks to both of you.  Are you aware of anyone using it outside of Aruba, in the traditional bolt-on single VLAN portal kinda way?



  • 5.  RE: Aruba Guest Access For Cisco (or any other) WLAN?

    EMPLOYEE
    Posted Jun 27, 2014 01:21 PM
    A good chunk of the CPG customer base uses the product with other vendors.


  • 6.  RE: Aruba Guest Access For Cisco (or any other) WLAN?

    Posted Jun 27, 2014 01:32 PM

    Thanks Tim.



  • 7.  RE: Aruba Guest Access For Cisco (or any other) WLAN?
    Best Answer

    Posted Jun 28, 2014 03:50 PM

    Hi Lee, just a couple of things to add to the discussion.  ClearPass can absolutely work in multi vendor networks and provide the guest registration/sponsoring and authentication services you describe.  One difference though with Bluesocket is that ClearPass is not an inline device, it works out of band and uses protocols like radius and http/s to interface with the network infraestructure.   So aside from bandwidth quotas, ClearPass itself does not do firewall policies or rate limiting of traffic.

     

    You can however configure specific role based policies on ClearPass that will trigger enforcement actions on a NAS device such as your cisco WLC (same is true for Cisco switches).  You can send back radius attributes and dACLs to enforce basic firewall and QoS policies.  You can also configure ClearPass to send upstream messages to your internet firewall and provide a deeper layer 7 enforcement.  Given you are talking maily about guest access, you can probably just plumb the guest VLAN through a specific firewall zone and policy although I would need to better understand the types of roles and FW policies currently in use on your Bluesocket boxes.

     

    One other thing to note, ClearPass can also interface with your Bluesocket environment if you want to retain its inline firewalling capabilities.  You could centralize all of the actual guest sponsoring, device registration and guest authentication with ClearPass and just use the Bluesocket boxes to enforce firewall and network policies as they are today.  This is a known use case that we have working at other locations around the world and may be an interesting option for you.

     

    We can have one of our ClearPass technical specialists reach out to you to discuss further if thats of interest.  Also happy to answer any other questions on this forum

     

    --Carlos



  • 8.  RE: Aruba Guest Access For Cisco (or any other) WLAN?

    Posted Jun 30, 2014 06:52 PM

    I have deployed ClearPass Guest for sponsored guest access on a Cisco WLAN for one of our large university clients.

     

    Works fine with Cisco, you just need to set L3 web authentication on the WLC's, configure the RADIUS servers and ensure that the WebACL permits access to the clearpass server.

     

    I think there is an old amigopod cisco WLC integration guide on the support site which will give some guidance.

     

    Scott