Wireless Access

Reply
Occasional Contributor I
Posts: 8
Registered: ‎03-16-2013

Assigning Select VLANs on Same SSID

Hi,

 

Could anyone please suggest me how i can assign select VLANs on the same SSID by using WLAN Controller?

 

Scenario: Say there are total of 3 departments having separate VLANs e.g. VLAN20 for Finance department, VLAN30 for IT department, VLAN40 for Sales department.

I want to create and keep the same single SSID (say "HeadOffice") for all three departments. The requirement is whenever users from Finance and Sales department try to establish connection (via "HeadOffice"), they always get connected to their respective VLANs only and not from VLAN30 which is IT department.

 

Please guide me through the process if there is any possibility of accomplishing this task.

 

Thanks.

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Assigning Select VLANs on Same SSID

What RADIUS server are you using?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎03-16-2013

Re: Assigning Select VLANs on Same SSID

Pre-Shared key based authentication is being used.

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Assigning Select VLANs on Same SSID

You need to be using 802.1X to properly identify users.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎03-16-2013

Re: Assigning Select VLANs on Same SSID

We are willing to implement 802.1x if this can help achieve the goal.

 

I'd appreciate if you could guide me through. 

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: Assigning Select VLANs on Same SSID

There are two parts to this issue:

 

(1) Possibly deploying 802.1x

(2) Does every department need their own subnet?

 

With regards to #1, 802.1x is complicated, but not impossible.  It should be done separately from #2, because it requires the configuration of a Radius Server, a Certificate Authority and Clients, which should be piloted before going into production.  If you have a domain, detailed information on how to deploy radius on an NPS server is here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

 

With regards to #2, alot of people think that they need to deploy differing users into their own subnets, but an ip address is just a way to get traffic to and from users and adding a subnet for each floor or each department demands creates management overhead (more subnets), but does not really do anything, security-wise.  Realistically, you need to deploy #1, to be able to differentiate users (typically by AD groups), before you consider #2., since there is no way to even differentiate users securely unless you use 802.1x.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: