Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Roaming users and AP groups...

This thread has been viewed 2 times

  • 1.  Roaming users and AP groups...

    Posted Dec 14, 2015 06:14 PM

    We have mulitple locations with roughly 10 AP's in each. Orginally, we created AP groups based on location and not necessarily on configuration. What I'd like to do is consildate all the remote AP's into 1 group and keep the LAN connected AP's in another. I want users to be able to roam from the AP group that has RAP's to the other group with LAN connected AP's without having to re-authenticate. Both groups will have the same VAP's and SSID profiles. The big difference between the 2 goups is the way the traffic is being tunneled; the RAP's will be split tunnelled and the LAN connected ones will be tunneled. 

     

    Will user's devices see this has a seperate network and will the devices want to create a seperate profile simply based on how the traffic is handled? I just want the President to only have to authenticate once, whether he's in a location where the AP's are local to the controller or in a RAP config. 

     

    Thanks. 



  • 2.  RE: Roaming users and AP groups...

    EMPLOYEE
    Posted Dec 14, 2015 06:16 PM
    What authentication are you using?


  • 3.  RE: Roaming users and AP groups...

    Posted Dec 14, 2015 06:18 PM

    We are using captive portal authentication with LDAP backend along with WP2-PSK. 



  • 4.  RE: Roaming users and AP groups...

    EMPLOYEE
    Posted Dec 14, 2015 06:21 PM
    The only way to allow roaming between different locations with captive portal is to deploy a policy engine like clearpass that does mac caching. If your users did 802.1x, the supplicant would handle the authentication and the "roaming" would be seamless.


  • 5.  RE: Roaming users and AP groups...

    Posted Dec 14, 2015 06:35 PM

    So given our current scenario and deploying NPS at this time isn't an option, what would be the best course of action?

     

    I imagine if a user roams from one location to another and those 2 locations have AP's that are in the same AP group, he/she will not have to re-authenticate? 

     

     



  • 6.  RE: Roaming users and AP groups...

    EMPLOYEE
    Posted Dec 14, 2015 06:38 PM
    There is no timer long enough to cache a users session between locarions., no. You can do a user derivation rule that looks for the CEO's mac address and puts him in an authenticated role so he would not have to authenticate.


  • 7.  RE: Roaming users and AP groups...

    Posted Dec 14, 2015 06:56 PM

    Once employees enter the correct psk and LDAP credentials, they are place in the "authenticated" group. 



  • 8.  RE: Roaming users and AP groups...

    EMPLOYEE
    Posted Dec 14, 2015 06:57 PM
    A user derivation rule runs when a user associates and before they authenticate.


  • 9.  RE: Roaming users and AP groups...

    Posted Dec 14, 2015 07:05 PM

    Since all employees are place in an employee vlan,  can I  create a user derived rule that states:

     

    set type: vlan

    rule type: essid

    essid contains: staff network

    vlan: "staff vlan"

     

     

     

     



  • 10.  RE: Roaming users and AP groups...

    EMPLOYEE
    Posted Dec 14, 2015 07:06 PM
    You should switch the role, not the vlan...