Wi-Fi Isolation for an specific VLAN

  • 1
  • Question
  • Updated 12 months ago
We have a Wi-Fi SSID that puts a user on a specific VLAN depending on the radius authentication. We want to implement Wi-Fi isolation in one of the VLAN. Is this possible?

I work in a school and staff members and students connect to the same SSID, but the radius server separates them to different a VLAN. So we want to implement Wi-Fi isolation for the students VLAN, but not for the staff. We want to do this so the students devices can't communicate with each other. Any help with this would be appreciated.
Photo of TJ

TJ

  • 5 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Joel Brooks

Joel Brooks

  • 20 Posts
  • 4 Reply Likes
You would have to write a specific firewall policy for that student vlan within HM. Add an ACL to it allowing the students access only to the specific resources they need. IE: Internet, internal servers/ web servers and printers etc.
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Exactly as Joel already wrote. The pre-defined IP Firewall Policy Guest-Internet-Access-only is already a good start: add it to the "From" field inside the Students user profile, and you are set. If you need exceptions, clone the policy object and add allow-rules on top as needed.
Photo of Joel Brooks

Joel Brooks

  • 20 Posts
  • 4 Reply Likes
I wondered if I should include more detail as some people are still new to AH. Thanks!
Photo of TJ

TJ

  • 5 Posts
  • 0 Reply Likes
Please do. Thanks!
Photo of Arkadiusz

Arkadiusz

  • 5 Posts
  • 0 Reply Likes
Wouldn't it be easier to create antoher SSID just for students in this specific VLAN and to click "Isolate clients" in SSID configuration? It would be authenticated by your RADIUS. Anyone any ideas?
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
First, you should always aim to reduce the number of SSIDs as much as possible, to limit overhead traffic added by each wireless broadcast domain reducing the available bandwidth and performance for all SSIDs. If you can lower the number - do it.

Second, there is no "Isolate clients" setting but a traffic filter with "Enable/disable inter-station traffic". And this only works for clients being connected to access interfaces on the same device. So if you want to block traffic to a certain server or between two wireless stations connected to different Access Points, then you'd still have to add an IP Firewall policy to your user profile.

Using (stateful inspection!) IP Firewall policies in user profiles is fairly straight forward. The only thing that sometimes confuses people are the two traffic direction settings "from" and "to". "From" means traffic from clients to the device, and thus to the rest of the network, which is generally what you want to apply your rules on.
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
One small correction on your second item, “Enable/disable inter-station traffic” actually works a bit differently than you described.

As you stated, when disabled on a SSID the interface associated with that SSID (e.g. wifi1.1) will prevent a client (Client #1) associated with that SSID/interface from sending or receiving frames from any client (Client #2) associated with other SSIDs/interfaces when the user profile of the other clients place them in the same VLAN. 

It will also prevent Client #1 from sending/receiving frames from any client that is associated other Access Points that are AMRP Neighbors (same hive and L2 and/or RF neighbors). These clients are what makes up the roaming cache. Clients that are part of the AP’s roaming cache and on the same VLAN will also be considered when the AP decided to forward traffic. 

Note in either scenario, if the VLAN is different then one would need to leverage the Stateful Firewall as its no longer a Layer 2 communication but the Frame turns into a Packet destined for the Default Gateway and gets routed back down to the destination. 

I hope this makes sense. 
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Thanks Jonathan! Yep, that makes a lot of sense
Photo of TJ

TJ

  • 5 Posts
  • 0 Reply Likes
Thanks for all the responses. I am a newbie using HM, so any details you guys can give me would be extremely useful.
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
TJ,

I presumed that the WLAN has been configured to assign students' and staff's devices to their own VLANs.

In order to control the access, I would create an IP-Policy and apply it to the student user profile. In this example the student's network is 172.16.110.0/24  and staff's network is 172.16.111.0/24





CLI:
ip-policy student id 1 from 0.0.0.0 0.0.0.0 to 0.0.0.0 0.0.0.0 service dhcp-server action permit
ip-policy student id 2 from 0.0.0.0 0.0.0.0 to 0.0.0.0 0.0.0.0 service dns action permit
ip-policy student id 3 from 172.16.110.0 255.255.255.0 to 172.16.110.0 255.255.255.0 service any action deny
ip-policy student id 4 from 172.16.110.0 255.255.255.0 to 172.16.111.0 255.255.255.0 service any action deny
ip-policy student id 5 from 0.0.0.0 0.0.0.0 to 0.0.0.0 0.0.0.0 service any a permit
user-profile student security ip-policy from-access student
user-profile student ip-policy-default-action deny


Rule 3 is to block traffic between student devices
Rule 4 is to block traffic from student devices to staff devices
Rule 5 is to allow traffic from student any other destinations

I hope this is what you need. 


Eastman