Wireless Access

Occasional Contributor II

Deny Inter User Traffic Single SSID.



I have a two SSID setup.




We allow our AD users to authenticate on our SECURE 802.1x network with their own personal devices using AD credentials, however we place those devices into a separate VLAN as per clearpass. We have all our corporate owned items using the SECURE ssid, but they get placed into a separate internal VLAN per clearpass.


I would like to deny inter user traffic for those users who are on the SECURE network, but not for corporate devices.  I know clearpass can assign roles back to the controller, so I'm assuming that I need to create a BYOD role and apply it, but I'm struggling with how to create the firewall policies.


I'd like DNS traffic to our two dns servers to be allowed, and web traffic out, but to deny all other traffic to our internal networks.


I wish it was as easy as deny inter use traffic, but that seems to be a VAP setting and I can't do that because some of the users on our SECURE SSID are corporate users.



Guru Elite

Re: Deny Inter User Traffic Single SSID.

Your firewall policy in your BYOD role might look like this:


any network 192.168.1.x deny

any any any permit


It would block traffic to any device that is on the 192.168.1.x network and allow all other traffic.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
Showing results for 
Search instead for 
Did you mean: