Security

Design Challenge!
The network setup has Cisco switches, Aruba Wireless Controller and ClearPass.
One of our University customers has apartments for employees/staff and their families.
Requirements:
1-Staff and their families require wireless connection in their apartments.
2-Staff should have same access privileges as if they are working in their offices.
3-Family members should have wireless access to access internet services only.
4-Smart devices (smart TV, Xbox …) should connect to the network through wireless or wired and accessible by both family members and staff.
Proposed solution:
• Create new 802.1x SSID with different roles for family members and staff.
• Uncheck deny inter-user traffic so they can access the smart devices on the same vlan.
• Connect the smart devices (mac-authentication) to different SSID but same vlan as the one used by the family and staff.
Challenges:
• Staff and their families will have access to all the smart devices inside the building not only their own devices unless different vlans are configured for each and every apartment(not recommended for management point of view)
• Enabling inter-user traffic may affect the overall performance of the connection since smart devices,staff and families are connected to the same network.

What would be a best practice design based on above?

Many thanks,

You can leverage AirGroup with ClearPass so when the user’s register their headless devices, they permit discovery of the devices to either certain APs, ap groups, roles or individuals.

Another alternative would be to drop each family into their own VLAN.

Thanks ... Will AirGroup work with non Apple devices such as Xbox, Smart TV ... Etc.

Kind regards,
Yazeed

Yes, it uses mDNS and SSDP (DLNA). It is not designed just for Apple.

Do any good documents describing AirGroup exist?


#AirheadsMobile

Do any good documents describing AirGroup exist?


#AirheadsMobile

http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/AirGroup/Introducing_Aruba_AirGroup.htm

There will be a TechNote on Device Registration later this year that will cover AirGroup.

Thanks a lot
What about wired smart device how it will work ? Would hospitality models help ?

Kind regards,
Yazeed

Hi Yazeed,

 

Please let me know whether all of your smart devices are 802.1x auth capable?

If all of your smart devices are 802.1x capable then you  can use only one ssid with different enforcement profile.

 

Clearpass profiller feature can differentiate smart device and computers (Windows and MAC) so you can assign different role/vlan to staff corporate device, Staff personal device, staff personal smart device.

 

I will recommend to use role(With same vlan) with specific access like smart device only internet and specific servers (If require), Staff corporate device full access etc.

 

Regards,

Milind

Thanks a lot for your time.

Yes we have ClearPass.

It isn't available till now if Smart devices support dot1x but we can provide assumption for each case.

Can we have AirGroup per AP location? So all users connected to one AP will have access to all smart devices in same AP.

What about wired Smart Devices? Can we extend AirGroup to it?

Kind Regards;
Yazeed Al Tal

Hi Yazeed,

 

I dont have much knowledge about Airgroup but we can set policy through clearpass that smart device can connect to specific AP & switch only.

 

Regards,

Milind

 

 

Thanks a lot for your time.

Yes we have ClearPass.

It isn't available till now if Smart devices support dot1x but we can provide assumption for each case.

Can we have AirGroup per AP location? So all users connected to one AP will have access to all smart devices in same AP.

What about wired Smart Devices? Can we extend AirGroup to it?

Kind Regards;
Yazeed Al Tal