Controllerless Networks

Occasional Contributor II

VLAN on Multiple SSIDs

Hopefully a quick question,


Would there be security implications if I were to have a Public Guest SSID that is assigned, say VLAN 10, then have our corporate SSID (AD machine auth with WPA2/EAP-TLS/PEAP) with that same VLAN (10) as the default but then assign the corporate VLANs to the coporate machines through ClearPass based on the Active Directory OU of the machine?  My thought is that if I setup my Enforcement profile in CPPM to look at the OU and assign a VLAN, but have the Public VLAN be the last entry incase the computer is in AD, but not in an OU that has a VLAN assigned, then it would assign the Public VLAN and public role on the AP to prevent access to the corporate network. I'm thinking it'd be the same as having our public VLAN traffic flow through the same physical network as our corporate network, which we already do. Any thoughts or best practice suggestions?


Thank you!!

Re: VLAN on Multiple SSIDs

An issue I can think of is that essentially the Public and and Corp devices may end up within the same VLAN? You could enable deny inter user traffic but the preferred option would be to have segregated VLAN's. Questions are also raised with DHCP and DNS, the Corp users on a Guest VLAN may need to access Corporate DNS/DHCP servers which maybe off limits? Is this a controller or controller-less solution?


If this is a physical controller you could have a direct connection from the WLAN controller to the firewall so the Guest VLAN exists only between the WLAN controller and the firewall.

If my post addresses your query, give kudos:)
Search Airheads
Showing results for 
Search instead for 
Did you mean: