Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Mobility Master log on

This thread has been viewed 1 times

  • 1.  Mobility Master log on

    EMPLOYEE
    Posted Sep 17, 2019 12:29 PM

    what i try to do is:

    If a client named "volkswagen 1234"

    trying to log on Mobility Master, then this client should have access into the Network  if it comes out of the IP address

    range 192.168.20.0   subnet Mask  255.255.255.0

     

    where and how can this be programmed?

     

    In the GUI from Mobility Master> Configuration >Roles &  Policies >    Logon Control Restriction

    Here I try to restrict wireless Clients like Tablets or Laptops .

    Example:

    One Client shut be able to connect to WIFI  if he is in Building 1    IP Range 192.168.1.0   Subnetzmask   255.255.255.0

    But when the same Client cames from Building 2     IP Range 192.168.2.0   Subnetzmask   255.255.255.0   the he should be restricted out.

     

    posting for a client.

    Thanks,

    Greg_Weaver



  • 2.  RE: Mobility Master log on

    Posted Sep 17, 2019 12:44 PM

    Hi Greg,

     

    Is the intention here to restrict the login to the Mobility Master or the Wifi  and or both? 



  • 3.  RE: Mobility Master log on

    EMPLOYEE
    Posted Sep 17, 2019 12:47 PM

    given i'm posting for a client, both options might be applicable for them. Any insight is greatly apprecaited. 



  • 4.  RE: Mobility Master log on
    Best Answer

    Posted Sep 17, 2019 01:25 PM

    Refering to the example scenario given by your client,

    Example:

    One Client shut be able to connect to WIFI  if he is in Building 1    IP Range 192.168.1.0   Subnetzmask   255.255.255.0

    But when the same Client cames from Building 2     IP Range 192.168.2.0   Subnetzmask   255.255.255.0   the he should be restricted out.

     

    This can be done in a two step process.

    First : Create a netdestination pointing to the vlan that the SSID is being broadcast on (this can be found in the configuration> wlan; check the VAP profle for which VLAN is mapped).

    Create a Netdestination for each of the networks in building 1 and 2

     

    It is going to look like this ;

    (config)# netdestination "Wifi"

    network 10.0..0.0 255.0.0.0

     

    (config)# netdestination "Building-1"

    network 192168.1.0 255.255.255.0

     

    (config)# netdestination "Building-2"

    network 192.168.2.0 255.255.255.0

     

    refer the AOS 8.5 UG (Pg. 273) to create a netdestination

     

    Second : Create a IP SACL as follows

     

    ip access list session "Restrict logon to wifi"

    // the format is "source destination service action"

     

    // The first Access control entry is going to be 

    Building-1 Wifi any permit position 1

    Building-2 Wifi any deny position 2

     

    You could choose to ignore the second 
    ACE as an implicit deny all statement is going to be added but i recommend to keep it on for clarity.

     

    Finally map this SACL into the pre-auth / initial role of the AAA profile for the SSID.

     

    Let me know if it works



  • 5.  RE: Mobility Master log on

    EMPLOYEE
    Posted Sep 17, 2019 01:28 PM

    Thank you. I will let you know shortly



  • 6.  RE: Mobility Master log on

    EMPLOYEE
    Posted Sep 18, 2019 09:16 AM

    That was what he was looking for, thank you for your help!