Security

Considering  Wifi network with Aruba controller 8.x and Clearpass.

How do we seperate Guest network completely from corporate LAN including separate DHCP and DNS  for guest users  (using captive portal) . What is the  recommendation ?

 

Is there any reference VRD or document  on this , Kindly advise.

Please see this VRD for guest. All of the concepts are the same (roles, acls, vlans, etc...) but may be located somewhere else in the GUI for AOSv8: https://community.arubanetworks.com/aruba/attachments/aruba/Aruba-VRDs/157/3/Guest%20Access%20with%20ArubaOS.pdf

 

You can assign all of the guest roles to a separate vlan on the same trunk link, or spin up a separate interface terminating to a firewall. In that vlan, you can assign the DHCP addresses from an upstream L3 device (recommended), or locally on the controller vlan interface.

 

 

Thanks , any recommendations on ( internal or public) DNS  and captive portal   ?

I can tell you from my experience, most organizations just allow DNS to their internal DNS servers, or a few of them, and either use internal captive portal in the controller, or clearpass/ise for external. Depends on what kind of guest experience you want for your users. For most, the guest user VLAN/Subnet is always off of a firewall in a DMZ or external zone.

 

 

You can use external DNS and configure your firewall to do DNS proxy (if it supports it)

Another option is to make your guest page reachable publicly and place some restrictions on your firewall on who can reach it publicly via HTTPS/HTTP



Sent from Mail for Windows 10