Security

Reply
Highlighted
New Contributor

Best Practice for Wireless Guest with Clearpass

Considering  Wifi network with Aruba controller 8.x and Clearpass.

How do we seperate Guest network completely from corporate LAN including separate DHCP and DNS  for guest users  (using captive portal) . What is the  recommendation ?

 

Is there any reference VRD or document  on this , Kindly advise.

Highlighted
Super Contributor II

Re: Best Practice for Wireless Guest with Clearpass

Please see this VRD for guest. All of the concepts are the same (roles, acls, vlans, etc...) but may be located somewhere else in the GUI for AOSv8: https://community.arubanetworks.com/aruba/attachments/aruba/Aruba-VRDs/157/3/Guest%20Access%20with%20ArubaOS.pdf

 

You can assign all of the guest roles to a separate vlan on the same trunk link, or spin up a separate interface terminating to a firewall. In that vlan, you can assign the DHCP addresses from an upstream L3 device (recommended), or locally on the controller vlan interface.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
New Contributor

Re: Best Practice for Wireless Guest with Clearpass

Thanks , any recommendations on ( internal or public) DNS  and captive portal   ?

Highlighted
Super Contributor II

Re: Best Practice for Wireless Guest with Clearpass

I can tell you from my experience, most organizations just allow DNS to their internal DNS servers, or a few of them, and either use internal captive portal in the controller, or clearpass/ise for external. Depends on what kind of guest experience you want for your users. For most, the guest user VLAN/Subnet is always off of a firewall in a DMZ or external zone.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
MVP Expert

Re: Best Practice for Wireless Guest with Clearpass

You can use external DNS and configure your firewall to do DNS proxy (if it supports it)

Another option is to make your guest page reachable publicly and place some restrictions on your firewall on who can reach it publicly via HTTPS/HTTP



Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: