Wireless Access

All, I found a few similar threads on this topic, but none of them completely addressed the core question. I apologize in advance for the repost.

We are using a single 3600 controller with 5 different SSID's. Two of those SSID's are using Captive Portal and the internal database for authentication. The others are all WPA-PSK. Let's just call the two SSID's in question "Employee" & "Guest" Currently, guests and employees are able to login to either CP because they are using the same Internal Database. 

Can this be prevented? I realize we could combine the two SSID's into one & use roles, BUT we need to have each SSID on a seperate VLAN.

If the issue is what VLAN they are put in, or what access they have, you can specifiy the 'role' per the user account (employee gets the 'employee role' and guest gets the 'guest role' and in the role, specify the VLAN they are put it. The internal db user account specifying the role, will override the role set by the VAP's AAA profile, and the VLAN in the role will over-ride the VLAN specified in the VAP.

But there's not a way to do two separate internal databases. For that you would want to look at ClearPass.

jhoward, thank you for the quick response! That is what I expected, so here is part two to my question. I have heard through this forum that when using CP, many devices do not play well with changing their IP addresses once authenticated. In other words, they get an initial IP when accessing CP, then once authenticated & assigned a role, they are dropped into a "new" VLAN. Many times clients do not like to re-DHCP and therefore stay in the same VLAN. Can you confirm? Anyone experienced this?

That is indeed a risk and sometimes/oftentimes a problem. If you know the macaddresses of the devices, you may have other options, but likely not. Clearpass would be a much better alternative to solve this issue as the controller by itself is fairly limited.

Cool. Thanks again. I think that Clearpass is going to have to be something we look at in the near future.