Wireless Access

Reply
New Contributor

Dynamic VLAN assignment for Apartment Building w/o RADIUS

I deployed Aruba IAP-215s in a 16 unit apartment building to provide internet for all tenants. I would like each apartment unit to be isolated into their own VLAN without creating 16 seperate SSIDs. 

 

Is it possible to do this without using 802.11X? My thought was to use guest accounts in internal server and captive portal that would assign VLANS based on Dynamic VLAN assignment rules. Setting this up, I know believe that Dynamic VLAN assigments are only supported with RADIUS return tags.

 

I need seperate VLANS because many tenants have devices they need to control such as SONOS, XBox, AppleTV, etc. This also brings up the fact I will need to manually enter MAC addresses for devcies that can not display a captive portal.

 

Thanks for any help!

 

 

Highlighted
Aruba Employee

Re: Dynamic VLAN assignment for Apartment Building w/o RADIUS

You should be able to make this happen using zones, take a look at this post 

https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-broadcast-ESSID-specific-to-Single-IAP-in-a-cluster/ta-p/192969

Cheers!
Marcus Wehmeyer
New Contributor

Re: Dynamic VLAN assignment for Apartment Building w/o RADIUS

Thanks wifimarcus. I read the link and have a question. Are you implying that I can use zones to limit the number of SSIDs per ap and thus can accommodate 16 total wlans? And if so, then I'm assuming that dynamic vlan assignments are just not possible without 802.11X. Yes
Guru Elite

Re: Dynamic VLAN assignment for Apartment Building w/o RADIUS

So I think it is a combination of what you are trying to accomplish and what wifimarcus said.  You will have to broadcast an SSID for every apartment, tied to that specific VLAN.  Like wifimarcus said, you can use zones to have the access points only broadcast specific SSIDs (one per access point, maybe?) so that you do not have too many SSIDs on an access point.  More information about zones is here:  http://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#UG_files/CustomizeIAPParams/Conf_zone_settings.htm?Highlight=zones

 

There is no real way to do a PSK network and have all users attach and be placed into different VLANs, without managing all of the individual devices those users attach with constantly.  Having different SSIDs, broadcast on a limited number of access points, is the best way.

 

If you had clearpass, there would be the ability for users to register their own individual devices and those devices would be placed into the VLANs that correspond to those users when they connect.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: Dynamic VLAN assignment for Apartment Building w/o RADIUS

If you want something like this:

 

Building A - 15 APs - VLAN 1

Building B - 12 APs - VLAN 2

Building C - 13 APs - VLAN 3

 

Then you can accomplish this with zones. Each building is assigned a zone, and each AP in that building is configured for that specific zone. 

 

If you are trying to do something like this:

 

Building A - 15 APs - 4 users on VLAN 1, 3 on VLAN 2, 10 on VLAN 3

 

Then you will need to either know the MAC of all these devices ahead of time and manage that, or you can deploy Clearpass as Colin mentioned.

Cheers!
Marcus Wehmeyer
New Contributor

Re: Dynamic VLAN assignment for Apartment Building w/o RADIUS

Just to follow up on this discussion. The Apartment only has 2 APs so having 8 SSIDs per AP was going to be a bit high. I pushed for more APs but the owner didn't want to invest more money. Instead, I did the following...

 

Created a new SSID using WPA-Enterprise authenticating against the internal DB. I created 16 accounts; one for each room (101, 102, 103, 201, 202, etc)  Then setup Dynamic VLAN rules for each user account that would place it into the corosponding VLAN (User 101 goes into VLAN 101, user 102 into VLAN 102, etc)  Devices that do not support 802.1X need to email their MAC address to the onsite manager who enters it into the internal database and then creates a dynamic rule placing the device into the correct VLAN for that tenant. MAC authenticated devices use a seperate SSID that is prtected with WPA2.

 

This solution is not ideal but the best I could do considering we only had 2 APs. I explained the tradeoffs to the owner who was reluctant to invest more money in APs and additonal ethernet drops. 

 

 

Occasional Contributor II

Re: Dynamic VLAN assignment for Apartment Building w/o RADIUS

Hello cjoseph,

you mention that there's a posibility to do that with ClearPass, do you have any guide to perform such action? that's precisely what we at our business are trying to do. We have a CheckPoint firewall, HP switch connected to it that provides access to a Aruba controller 7005 and on the other side, ClearPass residing on a VM but we are stuck in the vlan creation/management process. Don't know if the configuration goes on the switch / firewall / Aruba controller, or all of the devices. I hope I made myself clear with my explanation

Thank you in advance

Guru Elite

Re: Dynamic VLAN assignment for Apartment Building w/o RADIUS

But what are you trying to do?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: