Disable Guest SSID based on set schedule.

  • 2
  • Idea
  • Updated 1 year ago
  • Implemented
Disabling open/guest SSID networks in the middle of the night would be neat for a level of security for an SSID with hardly any security.
Photo of Jim Seaman

Jim Seaman

  • 314 Points 250 badge 2x thumb

Posted 5 years ago

  • 2
Photo of Branden Henner

Branden Henner

  • 406 Points 250 badge 2x thumb
Unfortunately, this functionality is not available without purchasing Enterasys NAC. Here is a work around. Create an internal captive portal that authenticates to Active Directory via radius. Create a group in Active Directory with only one account which would be a generic guest account. Use the captive portal editor to explain in the login process to use the generic user name and password. In radius or in NPS you can define a time of day in which that one user is allowed to authenticate. At that point you would need to create a short session timeout so that the user can't stay on all night. It is not pretty but unfortunately it is the only way I've found.
Photo of Jim Seaman

Jim Seaman

  • 314 Points 250 badge 2x thumb
Currently, we aren't running radius. I would have to enable radius and eapol (as far as switch commands) on all the switches and force muliauth to the APs and build policies on Network Policy on Windows as far as first steps to possibly getting this feature going?

I'll be going to enterasys training soon. Maybe I should wait after completing the training.
Photo of Scott

Scott, Employee

  • 160 Points 100 badge 2x thumb
Thanks you for your input. This is also on our product roadmap and is currently targeted for mid - late summer of 2014.
Photo of Branden Henner

Branden Henner

  • 406 Points 250 badge 2x thumb
Woah. Over thinking it buddy. Just fire up the NPS role on your AD server and point auth on the controller to it. Pretty simple. Don't do anything on the switches.

Edit: create the appropriate policies in NPS of course.
(Edited)
Photo of Jim Seaman

Jim Seaman

  • 314 Points 250 badge 2x thumb
Phew. Okay cool. Thanks, Branden!
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2
101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.

(Edited)
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
10.11.05. It seems that if you have the read/write community name the same as the read community then now you only get read permissions. I changed the read/write community name and it works again.
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
It's possible that there's actually a problem with snmpsubagent, and changing the community just restarted it. I started getting the error again, and manually killing snmpsubagent (and letting the process monitor restart it) fixes things. Even snmpwalk only shows the base values, none of the wireless OIDs appear. I'll open a GTAC case for this.
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,476 Points 5k badge 2x thumb
Hi James

I think the case route is the best way, I saw the same as you in the lab after changing my community names.

-Gareth
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
I see 10.21.02 has been released, with several fixes for "Improved performance of SNMP agent to handle large volume of configuration transactions" wns0017179 wns0017301 wns0017318 wns0017228. Will these go into 10.11 at some point?

Also, would this explain why I'm not getting AP down notifications any more?
(Edited)
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,476 Points 5k badge 2x thumb
The fixes are in 10.11.06.

-Gareth