Wireless Access

I work at a school district with five buildings with each being it's own vlan/subnet. One of our remote buildings is connected to our main campus via a 10mbit link. All of the AP's at our main campus forward traffic to the controller and it works fine since we have fast links. For the remote building, I want to keep the same SSID setup (district and guest) at the remote building but use bridge mode so the guests are assigned IP's from that buildings subnet instead of the wireless vlan that the main campus devices get.

1) Enabled Control Plane Security and auto cert provisioning for all addresses

2) Made a new AP group named after the remote building

3) Made a new VAP in the new ap group set forwarding mode to bridge and made sure VLAN was set to none.

The AP gets the information from the controller, reboots and I can see the SSID. When I connect, it never assigns an IP and I end up getting a 169.x.x.x address eventually. If I switch it to bridged mode, it works just like the rest and get an IP from the wireless vlan but that isn't what I want for this remote building. I'm sure it's something simple I am missing but I can't seem to figure it out.

Try making the VLAN 1.  That would match the default "Native VLAN-ID parameter" in the AP system profile of that ap-group.

Hi,

Here three tips:

• Bridge mode working -  with no VLAN number in the VAP itself.
• Check your AP system-profile for this/those rap units (in this specific rap AP-group)  - make sure that your session-acl is fitted with the right role.(for testing - try using: allowall)
• in the same  AP system-profile check if everything working fine if u adding V to Remote-AP Local Network access

dont forget to press apply + save config at the end.

Have a gr8 day.

BTW:

i didnt understand your post too much: :smileyhappy: (try to explain it agian - if further asstiance needed)

---

@kdisc98 wrote:

Hi,

 

Here three tips:

 

 

• Bridge mode working -  with no VLAN number in the VAP itself.
• Check your AP system-profile for this/those rap units (in this specific rap AP-group)  - make sure that your session-acl is fitted with the right role.(for testing - try using: allowall)
• in the same  AP system-profile check if everything working fine if u adding V to Remote-AP Local Network access

 

dont forget to press apply + save config at the end.

 

 

Have a gr8 day.

 

 

BTW:

i didnt understand your post too much: :smileyhappy: (try to explain it agian - if further asstiance needed)

 

 

 

---

We run two SSID's in our district. One is for district equipment and allows all traffic and the other is for BYOD and guest access to get online only. The main campus has a vlan for that assigns all wireless users an IP from the same subnet due to the AP's using tunnel mode back to the controller. There is a user role configured for the BYOD/guest ssid that throttles the bandwidth and only allows dhcp, dns, http and https so users can get get online. The district SSID role is open to all traffic.

At the remote building, I want to use the same SSID's but instead of getting an IP from the wireless vlan, I want it to basically act as a local access point and get an IP from the DHCP server in that building.

In the last line where I said "If I switch it to bridge mode" I meant to say to say tunnel instead of bridge. Tunnel mode works fine at the remote building but then all traffic will be traversing the slow link and I do not want that to happen.

Did that make better sense? Sorry for the confusion.

I will give the tips you provided a try and report back and let you know what happens.

Do I need to set these AP's as RAP's instead of CAP's? I thought I read where you can use bridge mode in CAP's as well. The 105 AP's in the remote building are still setup at CAP's.

You can leave them as CAPs.  Bridge mode works for both, but you don't need IPSec protecting the AP -> controller communication.

You should have VLAN 1 (or something) in the VLAN definition for the CAP AFAIK.

Ok well I seem to have it working now but I'm not sure exactly what the fix was. I tried a few of the suggested methods and it began working so I backtracked and disabled them to see which one it was. I'm pretty sure I've disabled each of the features I enabled to get it working but it is still working. Go figure.

I think I am going to setup a VAP for our private SSID in bridge mode and configure the guest/byod SSID and leave it in tunnel mode. That seems like it will be a bit more secure anyways. Since the remote building access the internet from our main campus and it is throttled it shouldn't have much if any noticeable impact on our WAN link.

Thanks for the help everybody.

:smileyhappy: Gr8 to hear.

A.Before u continue - can u please - copy&past screenshots from gui/cli of your ap-system-profile and your vap-profile / ssid-profile please?

B.Iam glad that it's working right now - BUT - u need to figure what solve it for the next time and also for this time.