Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Single Guest SSID | Guest Role ID restrict access to different area with same SSID

This thread has been viewed 0 times

  • 1.  Single Guest SSID | Guest Role ID restrict access to different area with same SSID

    Posted Feb 12, 2020 02:14 AM

    Hi,

     

    I have a Guest SSID "GUEST" this is broadcast to all campus. The client want that the Guest User that has Role ID [GYM] can only access the Gym Area, other area they will be prompt with Captive Portal Again.

     

    I have already set this as Radius: Aruba > AP-Group, but I notice that when we apply the MAC Auth, the user are not being able to Access the "GYM" area even though his Guest Role ID is [Guest], likewise they are also able to access the Student Portal.

     

    The client does not use the AD, all account will be generated on Guest Repository User.



  • 2.  RE: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

    MVP GURU
    Posted Feb 12, 2020 09:30 AM

    I assume you use ClearPass as your RADIUS server since you mentioned the Guest Repository?

     

    If so you can create a role mapping policy that matches based on the ap-group or other location-based attribute. For instance, if it matches the ap-group, and is assigned the gym role from ClearPass guest, you return the guest role of choice to the controllers. Then you can have another policy that says, if the ap-group does not equal the gym ap group, and it is assigned the gym role from ClearPass guest, then assign the captive portal role.



  • 3.  RE: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

    Posted Feb 13, 2020 12:43 AM

    Thanks, Its working now, now my problem is for the MAC Caching of each location. I notice that once [Guest] connection to area 1, then moved to Gym Area, they are able to connect.

     

    Any Idea how to separate the MAC Caching of [Guest] and [GYM] ?



  • 4.  RE: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

    MVP GURU
    Posted Feb 13, 2020 12:03 PM

    You could make rules that do not allow [guest] to connect to the AP-Group in the gym, but if they are in other areas besides the gym, and they associate to one of the Gym APs, that could cause issues.

     

    If role = guest and AP-Group = Gym then deny access?

     

    Is there a reason why a guest shouldn't connect in the Gym?



  • 5.  RE: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

    Posted Feb 13, 2020 06:09 PM

    The client want the guest user of GYM to be able to connect on gym and cannot connect to other location more or like if there is an event, an event role can only connect on that area the other area is off limits. 



  • 6.  RE: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

    MVP GURU
    Posted Feb 14, 2020 09:09 AM

    The [guest] users being able to connect in the GYM or in the special events areas would be an issue though? You can certainly limit the Gym and Special Event users to the APs/AP-Groups that they need access too.