Wireless Access

Reply
Occasional Contributor II
Posts: 51
Registered: ‎02-20-2012

Roaming users and AP groups...

We have mulitple locations with roughly 10 AP's in each. Orginally, we created AP groups based on location and not necessarily on configuration. What I'd like to do is consildate all the remote AP's into 1 group and keep the LAN connected AP's in another. I want users to be able to roam from the AP group that has RAP's to the other group with LAN connected AP's without having to re-authenticate. Both groups will have the same VAP's and SSID profiles. The big difference between the 2 goups is the way the traffic is being tunneled; the RAP's will be split tunnelled and the LAN connected ones will be tunneled. 

 

Will user's devices see this has a seperate network and will the devices want to create a seperate profile simply based on how the traffic is handled? I just want the President to only have to authenticate once, whether he's in a location where the AP's are local to the controller or in a RAP config. 

 

Thanks. 

Guru Elite
Posts: 21,016
Registered: ‎03-29-2007

Re: Roaming users and AP groups...

What authentication are you using?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 51
Registered: ‎02-20-2012

Re: Roaming users and AP groups...

We are using captive portal authentication with LDAP backend along with WP2-PSK. 

Guru Elite
Posts: 21,016
Registered: ‎03-29-2007

Re: Roaming users and AP groups...

The only way to allow roaming between different locations with captive portal is to deploy a policy engine like clearpass that does mac caching. If your users did 802.1x, the supplicant would handle the authentication and the "roaming" would be seamless.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 51
Registered: ‎02-20-2012

Re: Roaming users and AP groups...

So given our current scenario and deploying NPS at this time isn't an option, what would be the best course of action?

 

I imagine if a user roams from one location to another and those 2 locations have AP's that are in the same AP group, he/she will not have to re-authenticate? 

 

 

Guru Elite
Posts: 21,016
Registered: ‎03-29-2007

Re: Roaming users and AP groups...

There is no timer long enough to cache a users session between locarions., no. You can do a user derivation rule that looks for the CEO's mac address and puts him in an authenticated role so he would not have to authenticate.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 51
Registered: ‎02-20-2012

Re: Roaming users and AP groups...

Once employees enter the correct psk and LDAP credentials, they are place in the "authenticated" group. 

Guru Elite
Posts: 21,016
Registered: ‎03-29-2007

Re: Roaming users and AP groups...

A user derivation rule runs when a user associates and before they authenticate.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 51
Registered: ‎02-20-2012

Re: Roaming users and AP groups...

[ Edited ]

Since all employees are place in an employee vlan,  can I  create a user derived rule that states:

 

set type: vlan

rule type: essid

essid contains: staff network

vlan: "staff vlan"

 

 

 

 

Guru Elite
Posts: 21,016
Registered: ‎03-29-2007

Re: Roaming users and AP groups...

You should switch the role, not the vlan...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: