Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Dynamic VLAN assignment for Apartment Building w/o RADIUS

This thread has been viewed 4 times

  • 1.  Dynamic VLAN assignment for Apartment Building w/o RADIUS

    Posted Oct 28, 2016 12:30 PM

    I deployed Aruba IAP-215s in a 16 unit apartment building to provide internet for all tenants. I would like each apartment unit to be isolated into their own VLAN without creating 16 seperate SSIDs. 

     

    Is it possible to do this without using 802.11X? My thought was to use guest accounts in internal server and captive portal that would assign VLANS based on Dynamic VLAN assignment rules. Setting this up, I know believe that Dynamic VLAN assigments are only supported with RADIUS return tags.

     

    I need seperate VLANS because many tenants have devices they need to control such as SONOS, XBox, AppleTV, etc. This also brings up the fact I will need to manually enter MAC addresses for devcies that can not display a captive portal.

     

    Thanks for any help!

     

     



  • 2.  RE: Dynamic VLAN assignment for Apartment Building w/o RADIUS

    EMPLOYEE
    Posted Oct 28, 2016 01:29 PM

    You should be able to make this happen using zones, take a look at this post 

    https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-broadcast-ESSID-specific-to-Single-IAP-in-a-cluster/ta-p/192969



  • 3.  RE: Dynamic VLAN assignment for Apartment Building w/o RADIUS

    Posted Oct 29, 2016 06:09 PM
    Thanks wifimarcus. I read the link and have a question. Are you implying that I can use zones to limit the number of SSIDs per ap and thus can accommodate 16 total wlans? And if so, then I'm assuming that dynamic vlan assignments are just not possible without 802.11X. Yes


  • 4.  RE: Dynamic VLAN assignment for Apartment Building w/o RADIUS

    EMPLOYEE
    Posted Oct 30, 2016 10:30 AM

    So I think it is a combination of what you are trying to accomplish and what wifimarcus said.  You will have to broadcast an SSID for every apartment, tied to that specific VLAN.  Like wifimarcus said, you can use zones to have the access points only broadcast specific SSIDs (one per access point, maybe?) so that you do not have too many SSIDs on an access point.  More information about zones is here:  http://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#UG_files/CustomizeIAPParams/Conf_zone_settings.htm?Highlight=zones

     

    There is no real way to do a PSK network and have all users attach and be placed into different VLANs, without managing all of the individual devices those users attach with constantly.  Having different SSIDs, broadcast on a limited number of access points, is the best way.

     

    If you had clearpass, there would be the ability for users to register their own individual devices and those devices would be placed into the VLANs that correspond to those users when they connect.



  • 5.  RE: Dynamic VLAN assignment for Apartment Building w/o RADIUS

    Posted Jan 02, 2017 04:15 PM

    Just to follow up on this discussion. The Apartment only has 2 APs so having 8 SSIDs per AP was going to be a bit high. I pushed for more APs but the owner didn't want to invest more money. Instead, I did the following...

     

    Created a new SSID using WPA-Enterprise authenticating against the internal DB. I created 16 accounts; one for each room (101, 102, 103, 201, 202, etc)  Then setup Dynamic VLAN rules for each user account that would place it into the corosponding VLAN (User 101 goes into VLAN 101, user 102 into VLAN 102, etc)  Devices that do not support 802.1X need to email their MAC address to the onsite manager who enters it into the internal database and then creates a dynamic rule placing the device into the correct VLAN for that tenant. MAC authenticated devices use a seperate SSID that is prtected with WPA2.

     

    This solution is not ideal but the best I could do considering we only had 2 APs. I explained the tradeoffs to the owner who was reluctant to invest more money in APs and additonal ethernet drops. 

     

     



  • 6.  RE: Dynamic VLAN assignment for Apartment Building w/o RADIUS

    Posted Jan 25, 2017 05:10 PM

    Hello cjoseph,

    you mention that there's a posibility to do that with ClearPass, do you have any guide to perform such action? that's precisely what we at our business are trying to do. We have a CheckPoint firewall, HP switch connected to it that provides access to a Aruba controller 7005 and on the other side, ClearPass residing on a VM but we are stuck in the vlan creation/management process. Don't know if the configuration goes on the switch / firewall / Aruba controller, or all of the devices. I hope I made myself clear with my explanation

    Thank you in advance



  • 7.  RE: Dynamic VLAN assignment for Apartment Building w/o RADIUS

    EMPLOYEE
    Posted Jan 25, 2017 05:12 PM

    But what are you trying to do?



  • 8.  RE: Dynamic VLAN assignment for Apartment Building w/o RADIUS
    Best Answer

    EMPLOYEE
    Posted Oct 30, 2016 03:27 PM

    If you want something like this:

     

    Building A - 15 APs - VLAN 1

    Building B - 12 APs - VLAN 2

    Building C - 13 APs - VLAN 3

     

    Then you can accomplish this with zones. Each building is assigned a zone, and each AP in that building is configured for that specific zone. 

     

    If you are trying to do something like this:

     

    Building A - 15 APs - 4 users on VLAN 1, 3 on VLAN 2, 10 on VLAN 3

     

    Then you will need to either know the MAC of all these devices ahead of time and manage that, or you can deploy Clearpass as Colin mentioned.