Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Mobility Controller Internal DB for Guest Provisioning Question

This thread has been viewed 2 times

  • 1.  Mobility Controller Internal DB for Guest Provisioning Question

    Posted Jan 20, 2018 10:07 AM

    Hello!

     

    I've been a long time reader of airheads, looking forward to asking my own question :)

     

    I'd like to create a small guest network but not for public but for pre-approved guest which aren't in our active directory. Our corperate SSID uses windows NPS to authenticate onto AD but I've seem that you can populate an Internal DB of users and use that for WPA2-Enterprise authentication. I've found the controller section where you can add the users manually.

     

    My question is I've seen that there is a self service user administration roll where you can create guest users via the web interface without access to the rest of the controller, can this be used to populate the internal db of guest users?

     

    Hope that makes sense :)



  • 2.  RE: Mobility Controller Internal DB for Guest Provisioning Question

    EMPLOYEE
    Posted Jan 20, 2018 11:10 AM

    It is called guest provisioning.  More details are here:  http://community.arubanetworks.com/t5/Validated-Reference-Design/Guest-Access-with-ArubaOS/ta-p/155602



  • 3.  RE: Mobility Controller Internal DB for Guest Provisioning Question

    Posted Jan 20, 2018 11:20 AM

    Thanks for the reply Colin, but once I've setup the guest via the guest-provising GUI administration role can I then use these accounts for a WPA2-AES authenticated VAP?

     

    From everything I've read these guest users can only be used via the internal captive portal which I don't want.

     

    Thanks again for your time.



  • 4.  RE: Mobility Controller Internal DB for Guest Provisioning Question
    Best Answer

    EMPLOYEE
    Posted Jan 20, 2018 11:27 AM

    You can, but you need to setup a separate WPA2 enterprise SSID that has termination (controller certificate used as the server certificate), with the internal database as the server.

     

    Again, the only way that you can use users setup in the internal database for WPA2 enterprise is to use termination. 



  • 5.  RE: Mobility Controller Internal DB for Guest Provisioning Question

    Posted Jan 20, 2018 11:34 AM

    Brilliant thank you Colin, is there any danger in using the controllers certificate on this secure guest network?



  • 6.  RE: Mobility Controller Internal DB for Guest Provisioning Question

    EMPLOYEE
    Posted Jan 20, 2018 02:47 PM

    The purpose of the server certificate is to establish identity as well as secure the connection.  If you are using the controller's built-in certificate, it will not have your organization's identity, and some people might not trust it.  If you already have an internal CA, you should at least generate a CA that has your company's domain, so that users would have more confidence that they are not connecting to a rogue network.