Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Deny Inter User Traffic Single SSID.

This thread has been viewed 5 times

  • 1.  Deny Inter User Traffic Single SSID.

    Posted Jan 03, 2018 04:25 PM

    Hello,

     

    I have a two SSID setup.

     

    GUEST and SECURE.

     

    We allow our AD users to authenticate on our SECURE 802.1x network with their own personal devices using AD credentials, however we place those devices into a separate VLAN as per clearpass. We have all our corporate owned items using the SECURE ssid, but they get placed into a separate internal VLAN per clearpass.

     

    I would like to deny inter user traffic for those users who are on the SECURE network, but not for corporate devices.  I know clearpass can assign roles back to the controller, so I'm assuming that I need to create a BYOD role and apply it, but I'm struggling with how to create the firewall policies.

     

    I'd like DNS traffic to our two dns servers to be allowed, and web traffic out, but to deny all other traffic to our internal networks.

     

    I wish it was as easy as deny inter use traffic, but that seems to be a VAP setting and I can't do that because some of the users on our SECURE SSID are corporate users.

     

    Thanks!



  • 2.  RE: Deny Inter User Traffic Single SSID.

    EMPLOYEE
    Posted Jan 03, 2018 04:53 PM

    Your firewall policy in your BYOD role might look like this:

     

    any network 192.168.1.x 255.255.255.0 deny

    any any any permit

     

    It would block traffic to any device that is on the 192.168.1.x network and allow all other traffic.