Wireless Access

Hi all,

I have just deployed two SSIDs on a 7210 Mobility Controller at a client site. Lets call the SSIDs 'Guest' and 'Corp'.

The client uses a completely flat /16 network so I have used the Single VLAN design and used ClearPass to pass seperate user roles/firewall polices back to the Controller for network segregation.

The problem is that the client uses an upstream proxy server to authenticate users. We wish to bypass authentication on the Proxy for 'Guest' users, but can't do this by source IP address range due to the single large subnet.

The only other way I can think of doing this, would be to NAT all guest users behind a single IP address on the Controller and use this IP address in the bypass authentication rules, however they reside behind the same interface as the corp users so I'm not sure how to achieve this.

Is it possible to nat users based on the SSID they connect to?

If not, are there any alternative solutions to bypass proxy auth for guest users as part of a single VLAN design?

-Brett

You could:

- Do an "ip nat inside" for the guest VLAN on the controller

- On your proxy, allow all traffic from the controller's ip address to go to the internet without logging in.

You will have to:

- Create a non-routable guest VLAN on the controller and set and ip address for the controller on that VLAN.

- Create a DHCP server on the controller to give out ip addresses on that VLAN.

- Configure "ip nat inside" on that VLAN interface on the controller.

Hi Colin,

Thanks for the super quick reply.

Do I need an "ip nat outside" command on another interface somewhere?

-Brett

Nope.  Just an ip nat inside on the ip interface of the private vlan you create for guests within the controller.

Hi Colin,

Thanks for your help. It works a treat!

-Brett