×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

general problem: WLAN to VLAN forwarding

Unanswered Question
Jul 1st, 2011
User Badges:

Hello together,


I try to find a general solution to the following problem:


Cisco WLAN environment, >50 intelligent APs, >300 WLAN User, multiple SSIDs. Behind every SSID is a different VLAN. DHCP enabled on the clients. The users standard of knowledge does not provide the means to configure their WLAN Client. Users are in an active directory.


The objective:

The user must be able to connect to their VLAN without knowing the key of the corresponding SSID.


The momentary solution is an correspondingly hard konfigured WLAN Adapter with RJ45 connector which provides access to the requested SSID / VLAN.

To clarify: WLAN Adapter A -> Access to SSID A / VLAN A

               WLAN Adapter B -> Access to SSID B / VLAN B

               etc.


Now there are users with i.e. iPads without an RJ45 port, who should also be able to connect to their VLANs.


How can I do this?


I thought I could get a running 802.1X network based on a WLC 4402 and controlled APs, but if I enable 802.1X the old hard konfigured WLAN Adapters stop functioning because they do not support that standard. The withdrawal from service of the WLAN Adapters is not an option.


If anyone has suggestions, I would greatly appreciate.


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.garczynski Fri, 07/01/2011 - 09:44
User Badges:

Andre,


I think the best solution to your problem would be to allow VLAN assignment via RADIUS. This way you can group users in AD and then create a policy on the RADIUS server to instruct the AP/WLC to assign a specific VLAN for that user. If you have devices that your organization does not control then it would be my recomendation to create a guest only SSID using web auth that provides Internet access only. To move forward with this solution I would recomend using either EAP-TLS or PEAP and group policy to automate the SSID configuration and certificate enrollment if needed.


Thanks,

stefan.angerer Fri, 07/01/2011 - 10:06
User Badges:
  • Bronze, 100 points or more

I agree, since you are mentioning that your users are configured in AD, 802.1x with dynamic VLAN assignment is the best choice in your situation. This will also work for your ipads.


Maybe you can give us some details what wlan NICs you are using and what exactly did not work when you tried .1x?


Stefan

ahanstein Mon, 07/04/2011 - 07:34
User Badges:

At first: thanks for the responses:

@b.garczynski


What you described was my first intention, but if I understand it right Radius is only possible with 802.1X. But that´s unfortunately not supported by the WLAN adapters.



@stefan.angerer


My "corpus delicti" is the Siemens Gigaset WLAN Repeater 108

http://gigaset.com/at/de/product/GIGASETWLANREPEATER108.html?tab=data

This Adapter does not support 802.1X and just crashes if it is assigned to an WLAN where the .1x standard is running. If it´s disabled, it`s doing its job.


@all

Furthermore the VLAN Association must be safe and flexible, so an Authentification via MAC or similar is also not an option.

Customers can be quite demanding...


Thanks in advance.

stefan.angerer Tue, 07/05/2011 - 03:28
User Badges:
  • Bronze, 100 points or more

maybe you could try to use a dedicated 802.1x supplicant?

(e.g. Cisco Anyconnect 3.0 which is free)

Leo Laohoo Tue, 07/05/2011 - 03:32
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

How about configure the WLAN adapters to associate to specific SSID in question by using PSK?

b.garczynski Tue, 07/05/2011 - 09:16
User Badges:

Right, if we want to do dynamic VLAN assignment the only option is via RADIUS which then requires some type of EAP method for authentication. So from what I gather from the thread is that we cannot do 802.1x for authentication. This leaves us only with the option of an SSID per VLAN and a PSK for authentication. That said we can use configuration options such as HREAP and AP Groups to help keep the SSID configuration to a minimum across the network.


Thanks,

Actions

This Discussion

Related Content

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode