Wireless Access

Hi,

 

Currently I run two SSIDs, let's call them 'corporate' and 'visitor'. Visitor is authenticated via WPA2, while for 'corporate' users we use WPA2-Enterprise with internal server. This is the built-in internal database with each user having an individual account. It works great in terms of leavers etc., but recently I have been presented with a new business requirement where a new third SSID 'corporate2' will have to be created. As such traffic between 'corporate1' and 'corporate2' shall be separated. This can be achieved by mixture of VLANs and Firewall rules. My only concern is that, the internal server does not distinct between each Wi-Fi users, therefore login credetials will work for both networks. Is there any clever way to assign users per SSID? 

 

Many thanks for your reply,

Pipboy-2000

Hi,

Unfortunately there are only options for either employee or guest user types in the internal database on Instants. You would need to use a different authentication source to provide the functionality you want.

Do you have active directory? You could utilise NPS on Active Directory to authenticate users. Just a thought...

Hi James,

 

That's certainly a bummer, especially because we do not have the AD. The AP can handle multiple SSIDs, but WPA2-Enterprise authentication works for all or none. That's not very good for shared office environments etc. However, after a lot of fiddling around, I believe I found a way around the problem. It's not the best possible solution, but I believe it works. Here is what I have done.

1. Users can be identified by the user name created in the internal server, for example 'AAA James', 'ZZZ John' where AAA and ZZZ are the company names.

2. Changed the access level to 'Role-Based' for the network where only ZZZ employees should have access to.

3. Created a new role called 'ZZZ STAFF' and set access rule to 'Deny access to all destinations'

4. Now here is the best part: under role assigment rules I've created a new custom rule where when 'user-name' contains ZZZ' assign rule 'ZZZ Staff' (default rule is still active).

 

Now all ZZZ users, who connect to AAA network, will get authenticated cause there is no way around it, but because of the user name containing 'ZZZ' a rule blocking access to all network services will be applied to them, blocking them from accessing any network resource.

 

 

 

 

Good thinking!

 

You could go one step further to reduce the number of SSIDs (which is always a good thing) by having one corporate SSID and work out which user is from which company by using your method then set the VLAN to be the correct one (like they do in this video).

 

I'm not sure if that will work in my scenario, since the comapny is being split into two, so traffic must be separated. I'm using 192.x range for one SSID while 10.x for the other. Traffic is already VLAN tagged depending on which Wi-Fi you're connected to. From there eveyrthing is taken care of via VLANs / Firewall rules. It was only the first step I could not easily separate. As they say where's a will there's a way.

 

Greeting to fellow Fallout fan.