Dear Wireless Expert,
I would like to seek for your expertise about my issue.
I already did configure few lightweight AP via Cat6509 WLSM module, and done the WLSM Web AUTH for these lightweight AP which authenticate the user from the radius server(Cisco Secure ACS-SE) local database. Each AP belong to different VLAN and subnet.
MY concerns here are
Let's say if i need to add 2 wireless interface/SSID - staff & Guest, and bind the both interface to AP Group for each AP.
Should i configure 2 different SSID - staff & guest, but in the end user still using the same WLSM web auth with Cisco ACS SE for authentication. How to differentiate it is either staff or guest after the user authentication success using the cisco Secuer ACS SE, so far i can put each user to different group - staff and Guest. But do we have any other way to configure cisco secure ACS SE group setup for access control for example, group 1 = staff not able to access certain IP or service.
If i configure 2 wireless interface/SSID and allocate 2 different subnet range for staff & Guest. so once the user authetication done, user will get address range based on the SSID choose. But, how to control guest user unable access to Guest SSID since the AP advertise 2 SSID. using the way, we can control the traffic based on the IP address right.
Please suggest the best solution. How to segregate staff and guess !? Any idea to control it ??
Because Each AP belong to different VLAN and subnet, i believe that layer 3 roaming for WLSM is necessary right !?
Any DOC relate how to configure Layer 3 roaming for WLSM and above segragate idea !?
Please advice and guide. (^_^)