Wireless Access

Reply
Highlighted
Regular Contributor II

Same SSID in close proximity - separate Aruba mobility domains

Good afternoon,

 

Wondering what options there are for sharing the same SSID with another institution in a physical location that will likely bleed through into each other's area.

 

Our campus offers eduroam. Another campus in town also runs eduroam. Both are Aruba customers anduse different EAP types. A new "shared" location is being proposed where users from both campuses will be in the same building, same floor.

 

One option would be to allow School-A to broadcast eduroam across the whole area by adding APs into the other space. Users from School-B would connect to eduroam as "visiting eduroamers". But they would be in School-A's network space (vlans, policies, etc.).

 

Are there other options?

 

Thanks,

Mike

 

 

Frequent Contributor I

Re: Same SSID in close proximity - separate Aruba mobility domains

what type of authentication is used here?

 

If you are using an 802.1x + (AD / Clearpass) , you could have the "visiting Eduroamers" moved to a vlan created specifically for them after they are authenticated using vendor specific attributes to return the said vlan.

 

This vlan (a named vlan would be easier to manage) could be then added to the VAP profile.

 

This way the other campus users can be managed easily. 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Regular Contributor II

Re: Same SSID in close proximity - separate Aruba mobility domains


@A_RAK wrote:

what type of authentication is used here?

 

If you are using an 802.1x + (AD / Clearpass) , you could have the "visiting Eduroamers" moved to a vlan created specifically for them after they are authenticated using vendor specific attributes to return the said vlan.

 

This vlan (a named vlan would be easier to manage) could be then added to the VAP profile.

 

This way the other campus users can be managed easily. 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

 


Thanks. We are using 802.1x + (LDAP/Clearpass). Yes we absolutely could make a new vlan and use Clearpass to push the user there if that's needed. But that still means the device will vacillate between School-A's vlan/role and School-B's vlan/role under the same SSID as the user roams around the floor.

Frequent Contributor I

Re: Same SSID in close proximity - separate Aruba mobility domains

Is the intention here to isolate school A's users from school B's network/policies and vice versa , and also for the users to be segregated while maintaining their roles even if they roam? All while connected to the same SSID that is Eduroam?

 

Please let me now if this what you are looking for. 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Regular Contributor II

Re: Same SSID in close proximity - separate Aruba mobility domains

I'd say the main desire is for the endpoint to not get "confused" when roaming from School-A's eduroam SSID to School-B's eduroam SSID on the same floor. Same SSID but different vlans, subnets and EAP types. The endpoint sees the same ESSID as the same network.

Mike

Frequent Contributor I

Re: Same SSID in close proximity - separate Aruba mobility domains

To sum it up the requirements stand as below

 

1.) Same ESSID - Eduroam
2.) Different VLANS - Clearpass could be configured to do this as mentioned earlier
3.) Different Subnets - Clearpass could do this as well after authentication
4.) Different EAP Types - Is School B using the same model (EAP-variant + LDAP/Clearpass) ?
5.) Seamless Roaming without any Ambiguity

 

===================================

 

1.) Same ESSID - Eduroam

 

Create two different VAP profiles and ssid profiles

 

wlan ssid-profile School_A_ssid
essid Eduroam
<other settings>

 

wlan ssid-profile School_B_ssid
essid Eduraom
<other settings>


Wlan virtual-ap Eduroam_School_A
ssid profile School_A_ssid
<other profiles>

 

Wlan virtual-ap Eduroam_School_B
ssid profile School_B-ssid
<other profiles>

 

Clearpass could be used to solve requirements 2 & 3.

 

Could you please elaborate on the requirement 4.

 

What athentication model is the other school using?

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Regular Contributor II

Re: Same SSID in close proximity - separate Aruba mobility domains

Hi A_RAK,

 

School A and School B both use the same SSID name (essid). VLANs, subnets, routed networks, EAP Types and backend auth (AD vs LDAP) are all different. Not sure if both schools use Clearpass.

 

Both networks are in full production. Users from School A visit School B and connect easily through the magic of eduroam auth-proxy, and vice versa.

 

The only new twist is that a new physical building is being proposed where users from both schools will be in adjacent wings of the same floor(s). Both schools are building separate network infratsructure. Both schools plan to add APs. Both schools currently offer eduroam as their primary 802.1x SSID. There will be coverage bleed between the areas which cannot be controller with RF tweaks. This isn't a huge space. So endpoints will likely roam between these two same-named SSIDs - which go back to completely different physical and logical infratsructure (vlans, subnets, auth, networks, etc.) - and are expected to do this seamlessly.

 

Current thinking is to let one school provide eduroam coverage througout the space. This can be easily accomplished physically by adding one or two additional APs. It's a smallish space. For this user group it is not critical for wireless devices to have IP addresses in their host school's network space as was initially though to be the case. Both schools will also offer any other school-specific SSIDs they wish from their own APs connected to their own infrastructure. This is the most straighforward and quickest approach.

 

Mike

 

Frequent Contributor II

Re: Same SSID in close proximity - separate Aruba mobility domains

It will get very confusing if there are 2 networks sending out eduroam. You simply cannot expain this to the end users, also roaming will not be optimal.

 

I agree with you own suggestion; 1 school should install Wi-Fi accesspoints and broadcast the Eduroam SSID, the students of the other school are using the Eduroam as guest users and should enable VPN if they would require other access then public Internet.



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: