When talking about taking a single SSID and switching some traffic locally and some traffic centrally there is a way to do that using RADIUS.
There is a feature called VLAN Based Central Switching. Based on the VLAN you return you can switch traffic either locally or centrally. There are some rules around how this works: 1. If the VLAN passed exists on the flexconnect AP, the traffic is switched locally. 2. If the VLAN passed does not exist on the flexconnect AP, it is forwarded centrally. 3. If the VLAN ID doesn't exist on the WLC, the VLAN is assumed bogus and traffic is dropped on the interface defined under Wlan/AP Group as any centrally traffic would traditionally be done. The trick is if you need to return an interface group or you have overlapping vlan IDs. Today, you can use interface names if the APs are in local mode, but flexconnect rejects this. The workaround is to use the bogus vlan so traffic is forwarded centrally and then define the AP-Group interface so that it drops onto the correct interface (or interface group). I have a request to allow the ability to use interface names when dealing with flexconnect, but we will see if/when this makes it into shipping code. Thanks Jake Snyder @jsnyder81 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: [email protected] Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? ========================== -jcw ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Hector J Rios [[email protected]] Sent: Tuesday, March 17, 2015 9:27 AM To: [email protected] Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: [email protected] Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:[email protected]] Sent: Wednesday, March 11, 2015 9:48 AM Subject: ResHall Wireless I'm wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I've struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
