Header Only - DO NOT REMOVE - Extreme Networks

Disable Guest SSID based on set schedule.


Disabling open/guest SSID networks in the middle of the night would be neat for a level of security for an SSID with hardly any security.

13 replies

Unfortunately, this functionality is not available without purchasing Enterasys NAC. Here is a work around. Create an internal captive portal that authenticates to Active Directory via radius. Create a group in Active Directory with only one account which would be a generic guest account. Use the captive portal editor to explain in the login process to use the generic user name and password. In radius or in NPS you can define a time of day in which that one user is allowed to authenticate. At that point you would need to create a short session timeout so that the user can't stay on all night. It is not pretty but unfortunately it is the only way I've found.
Currently, we aren't running radius. I would have to enable radius and eapol (as far as switch commands) on all the switches and force muliauth to the APs and build policies on Network Policy on Windows as far as first steps to possibly getting this feature going? I'll be going to enterasys training soon. Maybe I should wait after completing the training.
Thanks you for your input. This is also on our product roadmap and is currently targeted for mid - late summer of 2014.
Woah. Over thinking it buddy. Just fire up the NPS role on your AD server and point auth on the controller to it. Pretty simple. Don't do anything on the switches. Edit: create the appropriate policies in NPS of course.
Phew. Okay cool. Thanks, Branden!
My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2[/code]101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.
James A wrote:

My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2[/code]101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.

I upgraded the controller from 9.21 to 10.11 and now the snmpset returns noAccess, has this interface been disabled?
Userlevel 6
James A wrote:

My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2[/code]101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.

Hi James

I just tested this on 10.11.05 seems to work ok for me

Which version 10.11 are you running?

-Gareth
James A wrote:

My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2[/code]101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.

10.11.05. It seems that if you have the read/write community name the same as the read community then now you only get read permissions. I changed the read/write community name and it works again.
James A wrote:

My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2[/code]101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.

It's possible that there's actually a problem with snmpsubagent, and changing the community just restarted it. I started getting the error again, and manually killing snmpsubagent (and letting the process monitor restart it) fixes things. Even snmpwalk only shows the base values, none of the wireless OIDs appear. I'll open a GTAC case for this.
Userlevel 6
James A wrote:

My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2[/code]101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.

Hi James

I think the case route is the best way, I saw the same as you in the lab after changing my community names.

-Gareth
James A wrote:

My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2[/code]101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.

I see 10.21.02 has been released, with several fixes for "Improved performance of SNMP agent to handle large volume of configuration transactions" wns0017179 wns0017301 wns0017318 wns0017228. Will these go into 10.11 at some point?

Also, would this explain why I'm not getting AP down notifications any more?
Userlevel 6
James A wrote:

My SE told me about a MIB to enable/disable an SSID, so you could just run this in a cronjob:
snmpset -v2c -c private ewc.host.name .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 2[/code]101 is the SNMP ID for that SSID (which you can find by snmpwalking .1.3.6.1.4.1.4329.15.3.3.4.4.1.4), and i: 2 disables, i: 1 enables.

The fixes are in 10.11.06.

-Gareth

Reply