Wireless Access

Hello All

 

I have a Corporate customer who is moving to a new building and below the building there is a University with 1000s of students. Customer is worried that with open guest ssid, the ip address will be depleted fast as the students will try to access the guest ssid.

I dont see any way of getting around this apart from increasing the scope of dhcp ip address range or pointing the RF away from Student area etc.

From what i understand as soon as someone or a student associates with Guest SSID they will get an ipaddress. How can we avoid students associating to Guest SSID? if this cannot be avoided, is there any other way for Guest SSID in this situation?

Customer is open to clearpass as an option. This will be a controller based solution. Would also be interested to know with Instant version as well.

 

Thanks

Mahathma

 

Thanks

Mahathma

Nothing will prevent users from associating other than a PSK.

Your best bet is to use a very large private IP space that is NAT'd and has short DHCP leases.

You can have a large subnet with short leases and, you can configure the local-probe-request threshold and the auth request threshold at 25 or more on that SSID in the advanced properties.  That will allow only people that can be seen at 25 RSSI to associate.

 

The local probe request threshold will only respond to probe requests to clients at X SNR or stronger.

The auth request threshold will only allow users to associate who are at X SNR or stronger.

 

Make them both the same number.  You can increase to 30 if you have enough density in your office and the APs are close to most people.

 

If Mahathma's problem is try to conserve the IP space and/or the air time for legitimate Corporate Guest users, then I totlly agree with Tim and Colin.

 

On the other hand, I have come across a situation whereby the Guest Wi-Fi provider denies any more clients to associate to it.  I guess there can be many reasons - e.g. run out of DHCP addresses, the internet pipe is getting congested, etc.  

 

"We are currently experiencing a high level of activity on our network and are unable to connect you to the free public Wi-Fi at this time. We apologise for any inconvenience and ask you to try and connect again shortly."

 

I'm just wondering how we can achieve this design approach?

 

Sometimes I *think* that this is better than having a huge IP space and just try to faciliate as many people as possible.

 

Thanks in advance.  

 

 

 

 

Kenneth Tai,

 

That makes sense, but it does not deal with the primary issue of "drive by" people consuming resources that legitimate users have a right to.  It does provide a feedback mechanism, though.

Hi Colin,

 

What do I need in order to achieve this type of "feedback mechanism"? A Web Auth Server that takes in some kind of counters/statistics and once the guest users hit the high water mark (upper threahold), the Web Server will not give out the Captive Portal page for the guest users to sign on?

 

Thanks. 

I am not sure that data is exposed in a way that would allow it to be reflected in the web browser.  Maximum users on an SSID is not exposed.  Free DHCP leases is not exposed.  The Captive Portal only does this for controller CPU.  http://community.arubanetworks.com/t5/Controller-Based-WLANs/Why-is-Captive-Portal-Wait-Logon-wait-page-displayed-even-when/ta-p/180738