Wireless isolation for BYOD environment -- not working as expected.

  • 1
  • Question
  • Updated 3 years ago
Wireless isolation doesn't isolate my clients from each other? (BYOD students). How can I achieve this? They can still ping each other and do network scans. Current config is local isolation as full isolation removes L3 ACLs. Thanks!
Photo of Anthony Urrutia

Anthony Urrutia

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Bittu

Bittu, Employee

  • 43 Posts
  • 13 Reply Likes
Hello Anthony,

With reference to your post, enabling Full Client Isolation is the feature that needs to be enabled to have all the clients isolated from each other. When Full Client Isolation is enabled , the Restricted Subnet ACL gets applied to the WLAN by default (this is how it is designed), this is reason for the L3 ACL being disabled since the Restricted Subnet list is also a L3 ACL (cannot have multiple L3 ACL's associated with a single WLAN).
Once full client isolation is enabled on a WLAN the clients are not allowed to access any of the internal devices/servers. If you would like to allow access to specific devices or servers on your internal network, you need to add the URL or IP address with a /32 subnet, this means that all host bits need to match to have access, hence allowing access only to authorized devices on the internal side of the network.

Please let me know if you need more information regarding this. All the best.
Photo of Anthony Urrutia

Anthony Urrutia

  • 4 Posts
  • 0 Reply Likes
Hi there thanks for the super quick reponse.

I understand the idea now of what your suggesting. However when i enabled full isolation i now find that I can actually access internal resources even though they ARE in the default denied subnets.In addition when im testing network scans (with fing.app) everything appears. So effectivley the isolation is not isolating anything! I however question it might b my network setup - as below:

Ipad --- AP (Student WLAN/Full isolation) -- EdgeSwitch (VLAN appropriatley) --- CoreSwitch -- ZD3000 (connected to core)
|
-- Services (https/s that should be blocked but arnt, all live on 192.168.0.0/16)

Sorry for my awesome diagram. Hopefully this will help.
Cheers!
Anthony
Photo of Anthony Urrutia

Anthony Urrutia

  • 4 Posts
  • 0 Reply Likes
Sorry i should add this update:

Isolation works for ICMP and all other protocols higher then ARP. Fing apparently uses ARP to do a local network scan and this is what is reporting on the current network segment of the students. The services in the denied subnets are indeed blocked when i use a laptop to test however IPad STILL Access some services. Same subnet as the laptop, same auth, same everything. Might be cache in the IPad (ive seen this happen before)

So isolation is working in regards to stopping sharing of services and ICMP however its still allowing ARP'ing to local subnet. Is this by design or a function of the isolation?

Many thanks.
Photo of Bittu

Bittu, Employee

  • 43 Posts
  • 13 Reply Likes
Hello Anthony,

Yes, ARPing usually does work when client isolation is enabled but all other access is blocked (http/https) unless allowed. In the IPad's once you clear the cache memory, are the devices still able to access the blocked subnet range?
If the devices are still accessible I suggest you open a ticket with support and we can help you further on troubleshooting this issue.

All the best
Photo of MLG

MLG

  • 73 Posts
  • 23 Reply Likes
I'm having a similar problem. I'm trying to isolate guest users on the guest WLAN and SSID and I see three options: 1 no isolation 2 isolate users on connected AP and 3 isolate users from white list. In documentation I see "local" and "full isolation", so I'm having trouble properly applying full network isolation for guest users.