Security

Hi All,

We have a very large Aurab Wifi Network in our enterprise. I am dealing with a situation where users are complaining that they can't access corporate emails using Wifi  . This happen interminttently . After doing some research I find out the cause it happen when their devices moves from Corp SSID to Guest SSID. 

The only work around is to click on the Guest SSId and select Forget this network. But then some other complain the same issue. 

Our Corp SSID is 802.1x auth and all the mobile devices ( Android , IOS) are contolled and profiled by Airwatch. 

Guest SSID is open and allow the device gets IP address it  get authenticaed by  Captive portal on Clearpass. 

I am working to find out the solution if there is any rule or polices we can configure on clearpass to stop them moving from CORP SSID to Guest SSID automatically and stop getting an IP address from the DHCP scope which is resereved for Guest user

The problem is , lets say if the user is by mistake connected to Guest and if he comes back to CORP SSID, his Wifi still doesn't work becuase on the Controller now i see 2 profiles. Guest role and Corp-SSID user role. 

I would really appreciate Aruab community memeber if they can suggest me better solution to fix this issue. 

 
One way to block access to the guest network, is by marking the endpoint as a known corporate device. Based on this endpoint value you will block access to the guest network.
 
1. Create a new unique endpoint attribute (Boolean), for example named corporate-device. 

2. When a user successfully connects via dot1x, update the endpoint value to true.

3. Make a rule in the guest service that first says:  endpoint:corporate-device equals true , enforcement: deny access
 

Hi Fabian,

Thanks for your prompt reply. I will try your solution today when i will go back to work. Just wondering if you have a  wriiten document which can guide me how to implement this exactly . Not sure how many rules require .  

Many Thanks 

Vsha

If you already use AirWatch, have you setup integration with CPPM? If so, you can just use an existing attribute set by AirWatch. For example I use MobileIron (similar MDM), and recently setup this same scenario, I used a rule like (Endpoint:Ownership  EQUALS  Corporate) , then you can just do 'Deny Access' or whatever you want. I did something a little more advanced, I did a CoA redirect URL to a captive portal in Guest saying 'Hey, you shouldn't have a corporate device on the guest network!'

Hi All,

Thank you for your guidance. I apologise may be I didn't make it very clear. 

the problem we are facing is automatic switchover to Guest SSID and we confirmed it users are not doing it manually.

This is the recent issue -- For example. --

Let's say VIP users at different location connected to CORP SSID and using their AIrwatch enabled Mobile devices( mostly IPad and Iphone)  to access email and shared drives. 

For some reason their phone move from CORP SSID to Guest SSID and they never see this change over from IPAD/Iphone Screen until they go and check in the setting to cofirm what's the issue. After that they can't access their email or shared drives. 

I do understand currently the Guest SSId is open for everyone to get IP address and re direct user to Captive portal. 

But looking for a soultion --Is there any configuration which we can apply and stop the CORP devices to move to Guest network and  to get an IP address

Again, Thanks in advance for giving your time. 

It's very strange that they would keep reconnecting to the Guest SSID, they shouldn't automatically connect to it without first manually clicking on it to connect. On an IOS device, you must open wireless settings, open the SSID settings, and click 'Forget'. It should never try to reconnect again without first manually connecting to it. I've researched before, and apparently there is no way on IOS through MDM to 'block' or lower priority on an SSID.

Now, to PREVENT this connection, as mentioned, you can do a Deny rule. i.e. 'If SSID contains Guest and Endpoint Ownership Equals Corporate, DENY'. This would prevent the device from associating to the SSID, so it would never connect and get an IP address. It would then try to reconnect to the next available SSID, which should be the Corporate one, and connect as normal. Give that a shot and see how it goes. 

Hello everyone,,

Thanks for joining the discussio. Finally, I have log a ticket with Aruba Support to work on this and according to them, 

There are lots of diassocation happening from the device , which allowing it to connect to the Guest SSID. 

I have been also advise to look for firmware upgrade option because the current version we are using is 6.4.2.6 and has some bug which is resolved in 6.4.4.15. 

All suggestion are welcome , please tell me what the next stable release in 6.4.4 series. 

I saw that IOS version advise by Aruba TAC is fairly new , only 2 months old. He assured that it should resolve this issue. and should be alright. 

Please suggest me what the next stable version. why i am worried is becuase I have to upgrade 200 controllers. 

Thanks,