Wireless Access

last person joined: 7 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Internal Database For Multiple SSID's

Jump to Best Answer
  • 1.  Internal Database For Multiple SSID's

    Posted Mar 09, 2014 11:51 AM

    All, I found a few similar threads on this topic, but none of them completely addressed the core question. I apologize in advance for the repost.

     

    We are using a single 3600 controller with 5 different SSID's. Two of those SSID's are using Captive Portal and the internal database for authentication. The others are all WPA-PSK. Let's just call the two SSID's in question "Employee" & "Guest" Currently, guests and employees are able to login to either CP because they are using the same Internal Database. 

     

    Can this be prevented? I realize we could combine the two SSID's into one & use roles, BUT we need to have each SSID on a seperate VLAN.


    #3600


  • 2.  RE: Internal Database For Multiple SSID's
    Best Answer

    Posted Mar 09, 2014 11:55 AM

    If the issue is what VLAN they are put in, or what access they have, you can specifiy the 'role' per the user account (employee gets the 'employee role' and guest gets the 'guest role' and in the role, specify the VLAN they are put it. The internal db user account specifying the role, will override the role set by the VAP's AAA profile, and the VLAN in the role will over-ride the VLAN specified in the VAP.

     

    But there's not a way to do two separate internal databases. For that you would want to look at ClearPass.



  • 3.  RE: Internal Database For Multiple SSID's

    Posted Mar 09, 2014 12:02 PM

    jhoward, thank you for the quick response! That is what I expected, so here is part two to my question. I have heard through this forum that when using CP, many devices do not play well with changing their IP addresses once authenticated. In other words, they get an initial IP when accessing CP, then once authenticated & assigned a role, they are dropped into a "new" VLAN. Many times clients do not like to re-DHCP and therefore stay in the same VLAN. Can you confirm? Anyone experienced this?



  • 4.  RE: Internal Database For Multiple SSID's

    Posted Mar 09, 2014 12:05 PM

    That is indeed a risk and sometimes/oftentimes a problem. If you know the macaddresses of the devices, you may have other options, but likely not. Clearpass would be a much better alternative to solve this issue as the controller by itself is fairly limited.



  • 5.  RE: Internal Database For Multiple SSID's

    Posted Mar 09, 2014 12:20 PM

    Cool. Thanks again. I think that Clearpass is going to have to be something we look at in the near future.