03-16-2020 02:51 PM
What is the best configuration for an environment where I have a ssid for visitors? They are employees who can access this network and anyone else who accesses the organization.
Do I consider sanctioned customers, through a rule, those who connect to this ssid?
I am doing it this way, but this way when a client connects to another network, for example, I receive alarms informing that a sanctioned client has connected to another non-sanctioned network.
But I don't want to have this level of control over clients who connect to the visitor network.
Solved! Go to Solution.
03-16-2020 03:45 PM
Casimiroir,
“What is the best configuration for an environment where I have a ssid for visitors? They are employees who can access this network and anyone else who accesses the organization.“
You have an SSID that is designated for employees but they are visitors? I need clarification on this statement.
“Do I consider sanctioned customers, through a rule, those who connect to this ssid?”
The only time you should sanction a client is if they are a trusted device - typically meaning they are an employee’s device or some other device that is under your management/control.
But yes, you can create a Device Action Manager rule that will automatically Sanction client devices, but you only want to do this for employee/company devices. You can also import a CSV file of the client MACs, or you can setup a rule that sanctions the clients based on polling of a wireless controller.
“I am doing it this way, but this way when a client connects to another network, for example, I receive alarms informing that a sanctioned client has connected to another non-sanctioned network.”
This would be expected behavior if you are sanctioning non-employee devices. What’s happening is that AirDefense is then seeing what is now a sanctioned client connecting to an SSID that doesn’t belong to you (because they aren’t employees and are connecting to non-corporate networks - which would be normal behavior for them.
“But I don't want to have this level of control over clients who connect to the visitor network.”
How you normally setup a true Guest network is you continue to sanction the guest BSS, but in the Security Profile that you create for the guest SSID and assign to the guest BSS’s, you check the box that says that non-sanctioned clients are allowed to connect. This will prevent AirDefense from thinking that these guest unsanctioned clients are Rogue clients when they connect to your Sanctioned Guest BSS.
Bottom line, sanction your APs and create the necessary Security Policies for them based on the SSIDs. If you have 5 SSIDs, you’ll have to create 5 Security Profiles. Then ensure that the appropriate security profile is assigned to the BSS’s.
For the client side, you then want to somehow sanction (there are multiple methods) only *your* client devices. You can either specify that a client device is okay to use any SSID in your security profiles (Sanction Inherit)...or just specific ones (Sanction Assign)
03-16-2020 07:00 PM
“ It is actually a guest network that employees use with their personal devices.”
This is little bit of a corner case. You’ll need to decide how you want to treat this situation. Just understand that if you don’t want to ‘trust’ the employee personal devices, then you don’t want to Sanction them….which also means that you need to configure the Security Profile for that SSID so that it allows Unsanctioned clients. The concern here is that if there was a legitimate breach by a malicious user, their UNSANCTIONED device would not be flagged by AirDefense when it associates to the SSID...because the Security Profile says that this is allowed.
03-16-2020 05:19 PM
Here is the Extreme AirDefense - ADSP Guest Network Fine-Tuning How-to Guide:
ADSP_GUEST_NETWORK_TUNING_HTG_MN-002713-001_REVA_EN.pdf |
03-16-2020 04:43 PM
“You have an SSID that is designated for employees but they are visitors? I need clarification on this statement.”
It is actually a guest network that employees use with their personal devices.
“For the client side, you then want to somehow sanction (there are multiple methods) only *your* client devices. You can either specify that a client device is okay to use any SSID in your security profiles (Sanction Inherit)...or just specific ones (Sanction Assign)”
I believe that here I was commenting on an error. Now, I configured it as suggested and I will wait for the result.
03-16-2020 03:45 PM
Casimiroir,
“What is the best configuration for an environment where I have a ssid for visitors? They are employees who can access this network and anyone else who accesses the organization.“
You have an SSID that is designated for employees but they are visitors? I need clarification on this statement.
“Do I consider sanctioned customers, through a rule, those who connect to this ssid?”
The only time you should sanction a client is if they are a trusted device - typically meaning they are an employee’s device or some other device that is under your management/control.
But yes, you can create a Device Action Manager rule that will automatically Sanction client devices, but you only want to do this for employee/company devices. You can also import a CSV file of the client MACs, or you can setup a rule that sanctions the clients based on polling of a wireless controller.
“I am doing it this way, but this way when a client connects to another network, for example, I receive alarms informing that a sanctioned client has connected to another non-sanctioned network.”
This would be expected behavior if you are sanctioning non-employee devices. What’s happening is that AirDefense is then seeing what is now a sanctioned client connecting to an SSID that doesn’t belong to you (because they aren’t employees and are connecting to non-corporate networks - which would be normal behavior for them.
“But I don't want to have this level of control over clients who connect to the visitor network.”
How you normally setup a true Guest network is you continue to sanction the guest BSS, but in the Security Profile that you create for the guest SSID and assign to the guest BSS’s, you check the box that says that non-sanctioned clients are allowed to connect. This will prevent AirDefense from thinking that these guest unsanctioned clients are Rogue clients when they connect to your Sanctioned Guest BSS.
Bottom line, sanction your APs and create the necessary Security Policies for them based on the SSIDs. If you have 5 SSIDs, you’ll have to create 5 Security Profiles. Then ensure that the appropriate security profile is assigned to the BSS’s.
For the client side, you then want to somehow sanction (there are multiple methods) only *your* client devices. You can either specify that a client device is okay to use any SSID in your security profiles (Sanction Inherit)...or just specific ones (Sanction Assign)