general problem: WLAN to VLAN forwarding

ahanstein · ‎07-01-2011

Hello together,

I try to find a general solution to the following problem:

Cisco WLAN environment, >50 intelligent APs, >300 WLAN User, multiple SSIDs. Behind every SSID is a different VLAN. DHCP enabled on the clients. The users standard of knowledge does not provide the means to configure their WLAN Client. Users are in an active directory.

The objective:

The user must be able to connect to their VLAN without knowing the key of the corresponding SSID.

The momentary solution is an correspondingly hard konfigured WLAN Adapter with RJ45 connector which provides access to the requested SSID / VLAN.

To clarify: WLAN Adapter A -> Access to SSID A / VLAN A

WLAN Adapter B -> Access to SSID B / VLAN B

etc.

Now there are users with i.e. iPads without an RJ45 port, who should also be able to connect to their VLANs.

How can I do this?

I thought I could get a running 802.1X network based on a WLC 4402 and controlled APs, but if I enable 802.1X the old hard konfigured WLAN Adapters stop functioning because they do not support that standard. The withdrawal from service of the WLAN Adapters is not an option.

If anyone has suggestions, I would greatly appreciate.

Thanks in advance.

b.garczynski · ‎07-01-2011

Andre,

I think the best solution to your problem would be to allow VLAN assignment via RADIUS. This way you can group users in AD and then create a policy on the RADIUS server to instruct the AP/WLC to assign a specific VLAN for that user. If you have devices that your organization does not control then it would be my recomendation to create a guest only SSID using web auth that provides Internet access only. To move forward with this solution I would recomend using either EAP-TLS or PEAP and group policy to automate the SSID configuration and certificate enrollment if needed.

Thanks,

stefan.angerer · ‎07-01-2011

I agree, since you are mentioning that your users are configured in AD, 802.1x with dynamic VLAN assignment is the best choice in your situation. This will also work for your ipads.

Maybe you can give us some details what wlan NICs you are using and what exactly did not work when you tried .1x?

Stefan

ahanstein · ‎07-04-2011

At first: thanks for the responses:

@b.garczynski

What you described was my first intention, but if I understand it right Radius is only possible with 802.1X. But that´s unfortunately not supported by the WLAN adapters.

@stefan.angerer

My "corpus delicti" is the Siemens Gigaset WLAN Repeater 108

http://gigaset.com/at/de/product/GIGASETWLANREPEATER108.html?tab=data

This Adapter does not support 802.1X and just crashes if it is assigned to an WLAN where the .1x standard is running. If it´s disabled, it`s doing its job.

@all

Furthermore the VLAN Association must be safe and flexible, so an Authentification via MAC or similar is also not an option.

Customers can be quite demanding...

Thanks in advance.

stefan.angerer · ‎07-05-2011

maybe you could try to use a dedicated 802.1x supplicant?

(e.g. Cisco Anyconnect 3.0 which is free)

Leo Laohoo · ‎07-05-2011

How about configure the WLAN adapters to associate to specific SSID in question by using PSK?

stefan.angerer · ‎07-05-2011

you can't do dynamic VLAN with PSK.

b.garczynski · ‎07-05-2011

Right, if we want to do dynamic VLAN assignment the only option is via RADIUS which then requires some type of EAP method for authentication. So from what I gather from the thread is that we cannot do 802.1x for authentication. This leaves us only with the option of an SSID per VLAN and a PSK for authentication. That said we can use configuration options such as HREAP and AP Groups to help keep the SSID configuration to a minimum across the network.

Thanks,