04-10-2012 04:14 AM
Here is my situation:
1- I have multiple brand new RAP 5wn in a branch office
2- This branch office is connected to our main site through a WAN connection (MPLS)
3- guest users in This Branch office uses a separate DSL line to surf The internet. This DSL line is physically separated from branch's local LAN
what I want to accomplish is to create two SSIDs. One of them used for reach corporate resources in our main office through The MPLS cloud and The other for guest internet access through The separate DSL line.
The problem I facing now is that The RAP 5WN has only One routed port (port0) and The other 4 ports are switched ports. So I could only connect port 0 to our MPLS router and get The corporate SSID working fine. But I can't connect The ADSL router to One of The other 4ports as they are layer two ports.
Any ideas to get this works and maintain the separation between the DSL and Corporate network.
Solved! Go to Solution.
04-10-2012 09:06 AM - edited 04-10-2012 09:06 AM
You can try this if you like.
1. Create an L2 VLAN on your controller, say vlan 888. No VLAN interface needed
2. Create a wired AP profile and assign it to vlan 888, bridge mode, access
3. Create a AAA profile and make the inital role to be "authenticated"
4. Create a wired port profile and assign your new wired AP profile and AAA profile to it
5. Assign one of the ports in the RAP-5's AP group to your new wired port profile, connect the LAN port of your DSL modem to that port
6. Create a guest SSID and a AAA profile with initial role "authenticated" (this assumes a PSK SSID)
7. Create a VAP, bridge mode, VLAN 888, assign your new guest SSID and wireless AAA profile
8. Assign the VAP to your RAP's AP group
9. Make sure your DSL modem is acting as a DHCP server
Save the config, give it a whirl. You can try to tweak the initial role if you like to lock things down a bit, but I just used "authenticated" in my lab for test purposes.
04-10-2012 09:56 AM - edited 04-10-2012 10:00 AM
You're asking quite a bit of a RAP. Really, this needs a small controller in those offices.
You can do some of what you want I suspect, but not all.
A RAP can't route (although it can src-nat/route which is different).
With that in mind, you could define the VAPs as bridged, and connect the RAP to your branch switch on a 802.1q trunk/tagged port (or setup another port on the RAP for the different VLAN access mode). Then setup a VLAN for guest ingress (and put the DSL router in that VLAN via the access port you picked or off the network on that VLAN). Create another for trusted or just make it "native"/untagged. Then setup the bridged VAPs to ingress the appropriate VLANs. This should work, but...
Captive portal for guests for instance is most likely out of the question as you'd have to be tunnelling, or split-tunneling (which would mean the RAP would src-nat-route out of the primary IP network it was attached to).
04-12-2012 05:56 AM
Thanks All, I did what Mike said exactly and it worked just fine, but I have one more question regarding the wireless operational mode. I want my guest SSID to be functional even if the RAP lost communication with the main office controller. I tried to change the wireless operational mode of my AP to always or persist with no success. I also tried to configure the guest SSID with a PSK and as an open system but Also without Any success. Any help?
Also I want to ask about one thing for my info, is it possible to use a captive portal for guest SSID in my situation or not?
04-12-2012 07:36 AM - edited 04-12-2012 07:36 AM
Ismail - When you say you had no luck when you changed the VAP operational mode to persistant or always, do you mean AOS wouldn't let you change it to that or it just didn't function as you expected?
Captive portal in this kind of setup would be very complex if even possible.
04-12-2012 08:40 AM
What I mean is when I change the VAP operational mode to Always or persistent and my RAP lose communication to the mobility controller in the main office I don't be even able to ping my DSL router although I am already connected to the Guest SSID. However, the persistent mode works just fine for my corporate SSID.