Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Internal DB

This thread has been viewed 10 times

  • 1.  Internal DB

    Posted Nov 16, 2011 08:48 AM

    Hello,

     

    Ive Controller 6000. We have 2 SSID. One for guest and one for staff. the guest have limitation and staff have full privilege. i want both guest and staff using internal db for authenticate.  can i seperate the internal db into two groups? current problem the guest user can access to staff ssid.

     

    thanks in advance 



  • 2.  RE: Internal DB

    EMPLOYEE
    Posted Nov 16, 2011 10:47 AM

    It is not possible, as far as I know, to have more than one internal database. You can, however, just use different roles in the database, aka one for Guest and one for Staff.

     

    My suggestion, though, would be to look into setting up a FreeRADIUS server. This runs on Linux. Move your Staff accounts over to there, and use the internal for Guest only.

     

    Zach



  • 3.  RE: Internal DB

    Posted Nov 16, 2011 10:20 PM

    Are you using captive portal login for both?  Do the networks get routed to different VLANs or are they both on the same VLAN with different user roles and access?

     

    It is definately possible to adjust the user role within the internal db to determine what access the user has (just as was previously mentioned).



  • 4.  RE: Internal DB

    Posted Nov 16, 2011 10:52 PM

    Hello,

     

    I have run into this situation before. You can not seperate the users in the database, however, you can apply a role to the guest user acccount within the internal database. Let's just say Guest_role is the role for now.

     

    Also create a dead end VLAN. That is a vlan without a gateway or dhcp.

     

    You can then create a seperate captive portal authentication profile for you internal users. This is important becuase we are going to be using a user derivation rule.

     

    In the Server group, specify internal, and add a user derivation rule. The rule will read, if user role equal Guest_role set vlan to # (dead end).

     

    This wil insure that any user that logs in to the employee network wit a guest account, will go no where.

     

    Hope this makes sense.



  • 5.  RE: Internal DB

    Posted Nov 27, 2011 04:33 AM

    Hi All,

     

    Thanks for the replied. Guest SSID will have different VLAN with Staff SSID but both are using Internal DB. Im afraid when our Guest try connect to Staff SSID using internal DB then Guest can access everything. Thats why im want to seperate the user. I want if Guest user cannot login into Staff SSID. any idea?

     

    thanks 



  • 6.  RE: Internal DB

    EMPLOYEE
    Posted Nov 27, 2011 04:37 AM

    Since you are using the internal database, does it mean that all the staff are sharing the same username and password?  Is it possible instead to use LDAP for staff and the internal database for guests?  That would provide the separation that you need.

     



  • 7.  RE: Internal DB

    EMPLOYEE
    Posted Nov 27, 2011 07:30 AM
    @ndai wrote:

    Hi All,

     

    Thanks for the replied. Guest SSID will have different VLAN with Staff SSID but both are using Internal DB. Im afraid when our Guest try connect to Staff SSID using internal DB then Guest can access everything. Thats why im want to seperate the user. I want if Guest user cannot login into Staff SSID. any idea?

     

    thanks 

    Simple solution. Create a role called "guest_user" or some other role name you choose for guests. Then in that user role, set the VLAN to what you want guests to be on. Then in the internal DB, set the role of those guest users to "guest_user". That way, even if they log onto the Staff SSID, they still will get on the guest vlan. Of course, this all assumes that you are using WPA2-AES (at least for the Staff SSID), and not open or WEP.

     

    You could even take this a step further and only use one SSID (again WPA2-AES). Then use the roles to determine what VLAN people get onto once they connect. As long as you are small, say less than 20 users, this probably wont be difficult to keep track of. However, once you exceed a manageable size, you really should look into LDAP or RADIUS.



  • 8.  RE: Internal DB

    Posted Mar 27, 2017 07:23 PM

    Dear Gents,

    I've the same problem, Is there any document which illustrates how can I have different vlan assigments (differen IPs based on internal departments) using the same SSID based on the local Aruba DB ?

     



  • 9.  RE: Internal DB

    EMPLOYEE
    Posted Mar 28, 2017 06:54 AM

    This original post is from 2011.  And it is talking about using the internal database for different sets of people.  In 2011 it was acceptable to enter mac addresses of devices into a database to allow people to get on the network.

     

    It is now 2017, and users should be authenticated using usernames and passwords using either LDAP or 802.1x

     

    In 2011, it was acceptable to give all users a different VLAN for department, because somehow it made sense.  It is now 2017 and an ip address an a VLAN are just simply ways to get traffic to and from the user and you do not have to have a complex VLAN scheme simply to get users in different departments onto the network.  You only need one VLAN, really..