Wireless Access

We have one large deployment where in we have 2000 APs , In the process of LLD discussion customer was proposing for going with 6 SSIDs , But we were sugessting to reduce it to 3 for gaining performance depending on authentication and encription parameters as below.

UtilDev-WPA2-PSK
MedDev-WPA2-PSK
Voip-WPA2-PSK
Employee-802.1x
Contractor-802.1x
Guest-Captive Portal

In this case how do we define the policies for UtilDev,MedDev,Voip what way we can seperate them and assign different roles.

First, you need to create a role for the devices you want to allow, then attach it to a vlan.  Also attach a firewall policy to that role, as well.

Next, create a user-derivation rule that looks for the first 3 bytes of the mac address of that type of device you wan to allow on to change it to that new role you have.

Last, attach that user derivation rule to your AAA profile for that existing virtual ap:

So if you wanted heart monitors that began with mac address 00:0b:87 to be placed in VLAN 100:

config t
user-role heart-monitor   (create the role for our heart monitors)
vlan 100  (assign the role to a vlan)
access-list session allowall  (put in the allow all firewall policy for now)
exit  (exit user role configuration)
aaa derivation-rules user heart-monitor-rule  (Create the user derivation rule)
set role condition macaddr starts-with 00:0b:87 set-value heart-monitor  (if the mac address of the device that attaches start with 00:0b:87, change the role to heart monitor. This will change the VLAN as well to 100)
exit
aaa profile wlan_prof  (Assign our rule to the AAA profile of that Virtual AP)
user derivation rules heart-monitor