Security

At the moment our general users have an ACL policy that blocks client <-> client traffic . If a user registers an "airgroup aware" device in clearpass guest then both the device and any dot1x authenticated device are assigned an "airgroup_devices" role. In addition to the normal ACL set this role has some userrole <-> userrole entries that allows  port based client to client communication.

 

When used in conjunction with the airgroup functionality of the controller a user can 'cast from our eduroam network onto our psk device network while other users have the standard ACLs applied and it all works ......except .....

 

.. what you've got are multiple users /devices all using the same "airgroup_devices" role so they've all got those ports open to everyone.

 

What would be nice is if we could restrict traffic so that any devices that log onto a wpa2/3 network using  a particular userid could have an acl set applied to all devices authenticated by that userid or clearpass guest devices that have the same sponsored name. Effectively they've got their own private vlan for their own devices... and no one else can see them.

 

I'm sort of thinking either of an extension to the Arubaos8 userrole where you can define an ACL template and then when a userid logs on a dynamic role gets created e.g. alexs-123 that uses the template.

 

The userrole command could then be expanded to only work for clients using the dynamic role.

 

or possibly some sort of Q-in-Q setup where  each users gets their own vlan within a vlan ..

 

 

Unless anyone else can suggest another way to really  restrict traffic based upon authentication credentials.

 

Rgds

Alex

This is not possible. AirGroup only restricts L2 advertisements.

o.k. mention of airgroups a bit fo a sidetrack, we;re actually just talking about client  to client  Acl lists based upon userid they used to authenticate onto the net with (or the sponsored username)  I'm told the cisco stuff can  drop every device authenticated by the same userid into a "private vlan where they can all talk to each orther". It's that sort of thing ish!

 

A

 

I'm not aware of any Cisco functionality that can do that. Have a link?

I think this applies also to our dynamic segmentation PoC... we would like to segment users to their own groups and not allow anything between groups. And preferably limit traffic between user within the same user-role too.

 

I was told earlier that 8.5 brings something to help with this. Currenly with 8.4 I can't do a block rule "from user to user deny". Have to see how it is after 8.5. update, but I've been told that this should be possible.

Got any examples ?
We’re currently using the “user role” come to to open up ports between devices with the same user role which sadly is shared across lots of users
A

Sent from my iPhone

Role to role enforcement is possible, but dynamic user-based restrictions are not possible.