Hi We are using Nortel which is OEM'd from Trapeze.
We can control the vlan assignment if we use 802.1x authentication and get Radius to check a field in LDAP to decide which vlan to put them in. The problem we have is we want to use the built-in Web Portal mechanism. This does not allow mulitiple vlans on a single ssid. So we'd like to split up the network based on user credentials, like say staff and student in order to keep our vlan broadcast domain small. So our problem is making sure that a staff connects to the staff ssid and not the student ssid and vice versa. If there was a way to validate the user based on their username/password/ssid-they-connect-to and compare this against their stored username/password/ssid-they-have-access-to that would be ideal. Cheers Matt -----Original Message----- From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: November 9, 2006 11:01 PM To: [EMAIL PROTECTED]; [email protected] Subject: RE: [WIRELESS-LAN] How many SSID's? Matt: Which vendor do you use for your wireless infrastructure setup, and what product? Some systems allow you to control authentication for a specific SSID to work against a specific RADIUS server or have the RADIUS authentication requests include additional (scope restricting) information. It all depends on the vendor's implementation. On the client side, you can configure most supplicants to use only the pre-defined profiles. Frank -----Original Message----- From: Matt Ashfield [mailto:[EMAIL PROTECTED] Sent: Thursday, November 09, 2006 2:16 PM To: [email protected] Subject: Re: [WIRELESS-LAN] How many SSID's? For those of you who are using multiple SSID's, how are you ensuring that the clients connect to the same one? For example, if we were to do 2 ssid's, one for staff, one for students, we'd have to find a way that would prevent students from connecting to the staff ssid and vice-versa, because they'd be authenticating against the same LDAP database (ie, same field names). Cheers Matt [EMAIL PROTECTED] -----Original Message----- From: Stan Brooks [mailto:[EMAIL PROTECTED] Sent: November 7, 2006 4:15 PM To: [email protected] Subject: Re: [WIRELESS-LAN] How many SSID's? Tom, Running multiple SSIDs will eat some channel bandwidth. Each SSID will beacon around 10 times a second, so 6 SSIDs means 60 beacons a second. Also, most clients behave badly when different SSIDs share the same BSSID (wireless MAC of the AP), so may sure your vendor supports multiple BSSIDs. This is usually limited by the underlying wireless chipset. Our vendor, Aruba, supports 8 BSSIDs/radio. I prefer to limit the number of SSIDs to a smaller number than our hard limit of 8 - 4 to 5 SSIDs at any one AP (but I am getting some pressure to address some "one-off" networks in some areas). In looking over your list, I would suggest combining the VPN and guest SSIDs as both are open access, and your VPN server is probably reachable through what ever guest firewall rules you've applied. We've not addressed the appliances like TiVo or game consoles for wireless access - they are "not supported at this time". A separate SSID is an interesting way to handle those devices. All of our authenticated users are coming in via WPA/802.1x or VPN (from our guest SSID). We haven't signed up for EduRoam, so we support visiting scholars through our guest SSID - they just have to VPN to their home school or organization. Additionally, we have a separate wireless network for our Healthcare organization (3+ hospitals, etc) which has a WPA/802.1x SSID as well as guest access SSID and Wireless ViOP SSID. We are investigating the ramifications of merging the two networks together into a single managed network. >>-> Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] -------- Original Message -------- From: Tom Zeller Date: 11/7/2006 12:12 PM > I am also thinking about using multiple SSIDs and I'm wondering how > significant the overhead is. Without working too hard I can think of 6 > distinct networks: > > 1. Legacy VPN-protected > 2. 802.1x > 3. Guest > 4. EduRoam > (Travelling scholars can use their home RADIUS server to use WiFi) > 5. Ad Hoc local department network with legit special need (Health Center?) > 6. Appliances - for Tivos, game consoles, whatever. > access via mac address registration > access to internet, with some blocks, but not campus > perhaps access across the dorm network > > > Tom Zeller > Indiana University > [EMAIL PROTECTED] > 812-855-6214 > > ********** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
