As a large teaching hospital we have been approached by our partner university to allow their staff and students the use of our wireless infrastructure to access the university network, they ideally want to use their wireless setting (wpa2 enterprise) and their ssid to allow people to move between campuses without reconfiguring.
due to data protection rules and large amounts of complexity we can not allow our controllers and network to see the universities network and radius servers. what the plan would be would be to use the guest ssid and a anchor controller on the other side of a firewall and tunnel their traffic through the network and out.
the 2 main questions are:
Is it possible to have a guest ssid with wpa security associated with it, is this done on the anchor controller?
the second but not critical question is that they map their users to 1 of 4 vlans based on their group on their radius server is this still possible?
Yeah, I reckon if you use guest tunneling then the controllers wouldn't be in contact with the Uni's infrastructure. This would negate the possibility of somehow getting the Uni's Radius to tell your controllers what VLAN to connect the guest clients to.
I reckon you should configure the ssid security on the foreign controller(s) as they'll be delivering the WLAN association.
Hi Adam, i face now exactly the same Challenge with the same constellation, using DMZ Controllers and WPA Enterprise with Radius for the tunneled SSIDs. Do you have a working Constellation? Did you face any problems?