Wireless Access

Reply
Highlighted
Occasional Contributor I

Single Guest SSID | Guest Role ID restrict access to different area with same SSID

Hi,

 

I have a Guest SSID "GUEST" this is broadcast to all campus. The client want that the Guest User that has Role ID [GYM] can only access the Gym Area, other area they will be prompt with Captive Portal Again.

 

I have already set this as Radius: Aruba > AP-Group, but I notice that when we apply the MAC Auth, the user are not being able to Access the "GYM" area even though his Guest Role ID is [Guest], likewise they are also able to access the Student Portal.

 

The client does not use the AD, all account will be generated on Guest Repository User.

Highlighted
Frequent Contributor I

Re: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

I assume you use ClearPass as your RADIUS server since you mentioned the Guest Repository?

 

If so you can create a role mapping policy that matches based on the ap-group or other location-based attribute. For instance, if it matches the ap-group, and is assigned the gym role from ClearPass guest, you return the guest role of choice to the controllers. Then you can have another policy that says, if the ap-group does not equal the gym ap group, and it is assigned the gym role from ClearPass guest, then assign the captive portal role.

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX | ACCP | ACSA | CCNP | CCDP | CCNA Wireless
Highlighted
Occasional Contributor I

Re: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

Thanks, Its working now, now my problem is for the MAC Caching of each location. I notice that once [Guest] connection to area 1, then moved to Gym Area, they are able to connect.

 

Any Idea how to separate the MAC Caching of [Guest] and [GYM] ?

Highlighted
Frequent Contributor I

Re: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

You could make rules that do not allow [guest] to connect to the AP-Group in the gym, but if they are in other areas besides the gym, and they associate to one of the Gym APs, that could cause issues.

 

If role = guest and AP-Group = Gym then deny access?

 

Is there a reason why a guest shouldn't connect in the Gym?

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX | ACCP | ACSA | CCNP | CCDP | CCNA Wireless
Highlighted
Occasional Contributor I

Re: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

The client want the guest user of GYM to be able to connect on gym and cannot connect to other location more or like if there is an event, an event role can only connect on that area the other area is off limits. 

Highlighted
Frequent Contributor I

Re: Single Guest SSID | Guest Role ID restrict access to different area with same SSID

The [guest] users being able to connect in the GYM or in the special events areas would be an issue though? You can certainly limit the Gym and Special Event users to the APs/AP-Groups that they need access too.

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX | ACCP | ACSA | CCNP | CCDP | CCNA Wireless
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: