Wireless Access

Probably a simple answer, but hey, I can't find it!

Scenario: 7200 Controller with APs configured in Tunnel Mode, SSID configured for 802.1x authentication.

Multiple users will connect to the same SSID but be allocated Server derived roles on the controller based on authentication parameters.

My question is how are the client's IP addresses assigned?

Will users devices in different roles be assigned IP addresses in different IP subnet ranges, or doesn't it matter as I understand that the Roles will be placed into VLANs that only exist on the controller side.

Could a client allocated to Role A be allocated an IP Address in the same subnet as a client assigned Role B?

What is best practice?

The most important rule is not to assign VLANs to roles.  The functionality is being deprecated if it is not, already.

To answer your question, the ip address is assigned based on the final VLAN assigned to the user.  VLANs are assigned based on precedence:  http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Network_Parameters/About_VLAN_Assignments.htm

Hi Colin,

Thanks for the quick reply.

I appreciate that the controller Firewall functionality limits where a users traffic can reach (based on the role they are assigned to) but if no VLAN & Subnet is assigned to a role (and hence the users traffic, outbound from the controller) how will other devices further down the line, such as other firewalls, be able to block or allow traffic?

Would you allow all traffic on the other firewall comming from the controller as this has been firewalled alreday?

The Virtual AP profile defines the default VLAN a user appears on.  If nothing changes the VLAN, that is the VLAN that the user gets.

Thanks, but this at the user end?

I'm trying to work out if the traffic from a user with Role A (marked in red on attached sketch) would be in a separte vlan/subnet to traffic from a user who has been allocated Role B.

Cheers

I just reread your original post.

Users can be in the same subnet, but have different roles.  Those different roles can have different firewall policies which can say what traffic they can initiate and where they can send them.  Theoretically you can users in different departments have different roles, be on the same subnet, but have access to different things.  Does this help?

Sort of, I've just modified my sketch.

It's the section where the blue arrow is, between the controller and the external firewall.

Will all traffic regardless of user Role be on the same subnet?

I'm thinking about the ability of the external firewall to identify traffic and act upon it (of course the controller will be firewalling the traffic so in theory this external firewall could pass all traffic as the firewalling has been done by the controller?)

If you are authenicating via 802.1x, you can return a radius attribute so that different groups of users are on different vlans.

Thanks Colin