Wireless Access

Hi Guys!

 

I have a project about assigning a VLAN in an SSID. I already know this process but a little, but confused in the back end part. In our office, we have 6 departments and we need to deploy 1 SSID per department so it'll be 6 SSIDs. I need to assign the same VLAN that they have in their LAN Ports through WIFI, so in case of an emergency that their LAN ports are not working, they'll be connected to the WIFI. Since our Aruba instant allows me to assign a VLAN in an SSID so it is possible to fetch those VLANs from our Switch. Are there any specific steps that I need to do to assign 6 VLANs in one port (which our AP is connected to)? Our AP is connected to a LAN Port. 

 

THANK YOU.

Your switch port would need to be configured as a trunk and allow the required VLANs. Your native VLAN would be used for the IAP Management VLAN and the client VLAN's would be a tagged VLAN.

Are you intending on broadcasting 6 SSID's from a single IAP? This is not recommended due to the increased overhead and will reduce performance. You can configure various options to assigned a VLAN based on a client or authentication server attribute. So this means all users would share the same (1x SSID) SSID whilst in a different VLAN.

 

You can use GVRP or MVRP to push VLANs down to the switch from the IAP.

Hi!

 

It's great that you tell me what will be the risk of taking this step. Can you please elaborate to me the alternative process that you suggested?

 

"You can configure various options to assign a VLAN based on a client or authentication server attribute. So this means all users would share the same (1x SSID) SSID whilst in a different VLAN.

 

You can use GVRP or MVRP to push VLANs down to the switch from the IAP."

 

Also, can you walk me through or give me some steps to do this so I can study it well as preparation for my project?

 

Thank you!

The first part we'd need to understand is how do your users authentication to the SSID? Is there a context aware authentication server such as ClearPass or RADIUS? The part you will need to understand is detailed under the Derivation Rules located in the User Guide. This will allow you return a User Role or VLAN based on a RADIUS attribute.

 

If you are using PSK, there is the method below but this can be a large management task depending on the amount of MACs in use. You can specify the VLAN within the assigned User Role.

 

https://community.arubanetworks.com/t5/Controller-less-WLANs/Role-derivation-based-on-MAC-address-for-Open-or-PSK-based-SSID/ta-p/234830

Usually, they are authenticated as employees and currently, we are using the MAC Filtering.

So, is the SSID authentication Open, WPA2-PSK, or Enterprise with MAC auth layered as well?

We use the WPA-2 Personal with mac authentication and pass phrase

Okay, in that case then you will need to use the example previously
supplied.

Cheers,
Craig

To be clear, the Role Derivation?

This one for PSK.

 

https://community.arubanetworks.com/t5/Controller-less-WLANs/Role-derivation-based-on-MAC-address-for-Open-or-PSK-based-SSID/ta-p/234830

Will this process allow the employees to connect to the SSID with the same vlan(policy) that they have in their lan ports?

This will allow you to assign different VLANs to users with a single SSID.

Sent from my iPhone

So after doing the configuration with my switch, I'll do this one? How would I know that the user must be connected to their corresponding vlans?

You’ll specify the User VLAN in the User Role.

Sent from my iPhone

So I'll specify their Mac addresses so the IAP will know to which VLAN they'll be assigned? Is that correct? Same SSID but different VLANs

You’ll specify a User Role based on the MAC and within that User Role you specify the VLAN for the Client.

Sent from my iPhone

Here. How will I assign this role that I created to one of our VLANs?

If you create the User Role, there is an option to select a VLAN which is also assigned.

Sent from my iPhone

Where can I find that User Role? I'm a bit lost LOL. Are there any steps to specifically assign a VLAN to a User Role? 

 

Thanks!

It’s not a problem :) Here you go, this shows you how to specify a VLAN within the User Role

In the Instant UI

To configure a user role for VLAN derivation:
1. Click the Security at the top right corner of Instant main window.
2. Click the Roles tab. The Roles tab contents are displayed.
3. Under Roles, click New.
4. Enter a name for the new role and click OK.
5. Under the Access rules, click New.
6. Select the Rule type as VLAN assignment.
7. Enter the ID of the VLAN in the VLAN ID text box.
8. Click OK.

https://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/Roles_and_policies/ConfUserRoleforVLAN.htm

Sent from my iPhone