@pnobels wrote:
We're currently working on a project to introduce subnetting/vlans (or network segmenting if you want) for enduser networks. I would like to pick other people's brains for implementation scenario's...
To put is in perspective, we currently use one vlan for company employees (wired and wireless is same network), and one vlan for guests. We use Clearpass on the guests network for authentication. An employee currently has a Symantec certificate which is authenticated against a Windows Network and Policy server.
We would like to further segment the employee network. Let's assume we want to segment this according to the building you're in (works for wired networking, but for mobile users...). And/or depending on who you are. A manager for example would end up in vlan A, an employee in building A ends up in vlan B, an employee in building B in vlan C etc...
Ofcourse, we do not want to go the way of creating multiple ssid's :-)
802.1x might be an option here...
Is it possible to create a scenario where an employee uses Clearpass as a gateway for authentication, and is pushed depending on the role he/she gets in a specific vlan? The NPS server does not have a means to target a specific vlan. So the decision of which user needs to end up where needs to come from Clearpass? Which queries Active Directory for f.e. group membership?
Anyone implemented such a setup and can provide some guidelines?
You definitely should have wired and wireless clients in different VLANs. That way you can enforce separate policies for both, if necessary. Also wired users generate alot of broadcast traffic that wireless users typically cannot tolerate, if broadcast filtering is not used. If you ever had to turn off broadcast filtering for whatever reason, the wireless could become unusable if you have both wired and wireless users in the same LAN.
You are correct: You want as few SSIDs as possible. You would typically have an encrypted SSID for employees, one Captive Portal SSID for guests and optionally one SSID for devices that can only use preshared keys. Each SSID should only consume one VLAN at a campus. You could use pooling if you want more ip address space.
Creating different VLANs based on who they are unnecessarily complicates things and wastes ip address space. It also makes troubleshooting and expanding your network more difficult. You would typically have a single VLAN for employees on a campus if possible; that way instead of using a whole /24 for a single building, that or a /23 can be shared between users in multiple buildings and more of the subnet would be utilized.
802.1x is the most flexible mechanism because the user obtains the ip address AFTER successful authentication. That means your user is not stuck in the same VLAN like Captive Portal. Like Michael_Clarke said, you can use ClearPass to return a different VLAN and Role when authentication is successful. To be clear, you can also do this with NPS, but it is more difficult...
Keep asking questions about your deployment and others on the forums here will give you real-world answers that will get you to where you need to go.
Happy Holidays...