5 replies to this topic

[Harishchopra]

Hi All,
I have a issue while connecting to the wireless network related to IP address.

Following is the scenario :-

We have following components :
Nortel Wireless Security Switch(WSS) Model# 2382
AP - Nortel Model # 2332 E3
Radius - Juniper SBR - Corporate Edition.

Issue :
Although in Normal scenario everything goes good and I am able to connect to any SSID with respective credentials given in Radius. But the problem is incase I try to connect to a SSID with some other SSID's credentials then also it connects, Also it allocates the IP address from the IP pool of other SSID of which I have used only the Username and Password.

For example :
I have two SSID - CORP1(username - Corp1 & Pwd - abcd123) and CORP2 (username - Corp2 & Pwd - abcd123).
When I connect from a client to CORP1 with the credentials of CORP2 - It connects and gives the IP address from the CORP2 SSID range defined. Actually it shouldn't.

Can u suggest me something, how to overcome this issue so that it stops only when it is getting authenticated at the Radius with SSID and username/pswd mismatching.

Let me know incase some more details are required.

Thanks

Harish Chopra

[sirkozz]

If I understand correctly your trying to ensure that a users credentials work only for a given essid/subnet? If a user can connect to any essid with said credentials and be placed on the correct subnet as defined by radius, is the user only able to access network resources as defined by radius for those credentials? It sounds like “role based access control” is enabled on the WLAN controller, however while this is not what you want, it is giving you the security you are looking for, or you need to set within radius allowed essid per user?
BTW RBAC is exactly what you’re describing and is considered an extremely secure WLAN as access to any network resources are controlled through radius, per user security instead of per WLAN security.

[Harishchopra]

If I understand correctly your trying to ensure that a users credentials work only for a given essid/subnet? If a user can connect to any essid with said credentials and be placed on the correct subnet as defined by radius, is the user only able to access network resources as defined by radius for those credentials? It sounds like “role based access control” is enabled on the WLAN controller, however while this is not what you want, it is giving you the security you are looking for, or you need to set within radius allowed essid per user?
BTW RBAC is exactly what you’re describing and is considered an extremely secure WLAN as access to any network resources are controlled through radius, per user security instead of per WLAN security.

=======================

Hello Sir,
Thanks for replying. But let me re-phrase my issue. When I am connecting to SSID - CORP1 using the credentials of CORP2 i.e username corp2 and pwd abc123, the user gets connected to network and also gets the IP from the VLAN of CORP2 SSID defined in DHCP server. And this is the only issue that First of all it shouldn't be authenticated and Offcourse it shouldn't get the IP address from CORP2 pool at any cost.

About your suggestion, As of now we haven't defined any ACL in WSS but can u tell me how does it can affect my traffic.
I think this is something need to be done at Radius side. I saw one option named as Checklist wherein we can define the things Radius should check when any request comes to the Radius for a particular SSID.

Can you provide me your email id so that I can send you the details.

Thanks for your help.

Harish

[sirkozz]

Do you have the WLANs mapped to their respective VLANs?

[Harishchopra]

Do you have the WLANs mapped to their respective VLANs?

Yes, Each SSID is mapped to their respective VLAN.

[sirkozz]

Not personally familiar with Juniper radius, but definitely sounds like a radius configuration problem then, PM me with the particulars, am going to bed, will answer in the afternoon of EST.

Good luck!!!