Re: [WIRELESS-LAN] WLAN Deployment-High number of users
It all depends on:1. Your Wireless AP / Wireless Controller Implementation 2. Your Radius Server's ability to use policies. Each Radius server returns different information in a RADIUS packet. The Cisco Controllers return the attributes of: CalledStationID 00-00-00-00-00-00:SSID(Where 00-00-00-00-00-00 is the AP's MAC, and SSID is the SSID they are connecting to) CallingStationID 00-00-00-00-00-00 (Where 00-00-00-00-00-00 is the MAC of the laptop) NASIPv4Address 0.0.0.0 (Where 0.0.0.0 is the IP of the Wireless LAN Controller NASIPv6Address - NASIdentifier Controller-Name(Where Controller-Name is the name of the controller as configured in the WebGUI) NASPortType Wireless - IEEE 802.11 NASPort 29 (The port number, I think with LAG ports, it's always 29) The second part of the question, is can your Radius Server deal with this information. I know IDEngines has the concept of policies. I know NPS (IAS for server 2008) also has policies, and I know know FreeRADIUS can pull of some cool matching features. NPS and IDEEngines allows you to create policies that match like firewall rules, and apply based on policy matches. I'm unsure if IAS on 2003 can do this. I'm not sure Steel belted Radius has this functionality. It didn't when I looked at it 4 years ago, but that is a very long time ago in a product lifecycle for a currently shipping product. Mike On Thu, May 21, 2009 at 8:06 PM, Johnson, Bruce T bjohns...@partners.orgwrote: Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I’d love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult is this to manage when you have to differentiate by controllers and campus-specific subnets? Can you combine attributes like NAS (controller) IP and device credentials to serve up locally-significant VLANs? Overall, has moving the administrative burden to RADIUS been a net gain in terms of RF cleanliness and client simplicity? Regards all, --Bruce Johnson -- *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: wireless-...@listserv.educause.edu] *On Behalf Of *Jason Appah *Sent:* Friday, May 15, 2009 4:43 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] WLAN Deployment-High number of users It wasn’t particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate and pass different vlans… just do your research on what the cisco is looking for when passing a vlan.. As an aside, the scenario we’ve seen both wired and wireless goes like this: We have a vlan ascribed to authentication/Updates only, no internet, nothing but a domain controller login conduit; then we have staff, student, lab vlans, and so forth… The clients perform machine authentication via 802.1x… the machines are placed in the auth only vlan.. then the student staff or user logs in, and is placed in the proper vlan.. the ip address is invalid and for a few moments 10 -15 seconds they get “limited or no connectivity” until Microsoft retries the dhcp requests… Having one or two SSIDS is king, and when it works, its magic! *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: wireless-...@listserv.educause.edu] *On Behalf Of *Johnson, Bruce T *Sent:* Friday, May 15, 2009 1:25 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, *Bruce T. Johnson** | **Network Engineer* Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org -- *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: wireless-...@listserv.educause.edu] *On Behalf Of *Jason Appah *Sent:* Friday, May 15, 2009 4:10 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] WLAN Deployment-High number of users Correct, but it generated a ton of support calls.. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: wireless-...@listserv.educause.edu] *On Behalf Of *Johnson, Bruce T *Sent:* Friday, May 15, 2009 12:45 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? *Bruce T. Johnson** | **Network Engineer* Partners Healthcare | Network
Re: [WIRELESS-LAN] WLAN Deployment-High number of users
I've got to proofread better. On Fri, May 22, 2009 at 7:52 AM, Mike King m...@mpking.com wrote: Each Radius server returns different information in a RADIUS packet. This should read: Each Radius CLIENT returns different information in a RADIUS packet. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
It may be stating the obvious, but if you use AD, you can leverage attributes there to allow/restrict a range of network/WLAN functions... Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 22, 2009 7:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It all depends on: 1. Your Wireless AP / Wireless Controller Implementation 2. Your Radius Server's ability to use policies. Each Radius server returns different information in a RADIUS packet. The Cisco Controllers return the attributes of: CalledStationID 00-00-00-00-00-00:SSID(Where 00-00-00-00-00-00 is the AP's MAC, and SSID is the SSID they are connecting to) CallingStationID 00-00-00-00-00-00 (Where 00-00-00-00-00-00 is the MAC of the laptop) NASIPv4Address 0.0.0.0 (Where 0.0.0.0 is the IP of the Wireless LAN Controller NASIPv6Address - NASIdentifier Controller-Name(Where Controller-Name is the name of the controller as configured in the WebGUI) NASPortType Wireless - IEEE 802.11 NASPort 29 (The port number, I think with LAG ports, it's always 29) The second part of the question, is can your Radius Server deal with this information. I know IDEngines has the concept of policies. I know NPS (IAS for server 2008) also has policies, and I know know FreeRADIUS can pull of some cool matching features. NPS and IDEEngines allows you to create policies that match like firewall rules, and apply based on policy matches. I'm unsure if IAS on 2003 can do this. I'm not sure Steel belted Radius has this functionality. It didn't when I looked at it 4 years ago, but that is a very long time ago in a product lifecycle for a currently shipping product. Mike On Thu, May 21, 2009 at 8:06 PM, Johnson, Bruce T bjohns...@partners.orgmailto:bjohns...@partners.org wrote: Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I'd love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult is this to manage when you have to differentiate by controllers and campus-specific subnets? Can you combine attributes like NAS (controller) IP and device credentials to serve up locally-significant VLANs? Overall, has moving the administrative burden to RADIUS been a net gain in terms of RF cleanliness and client simplicity? Regards all, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate and pass different vlans... just do your research on what the cisco is looking for when passing a vlan.. As an aside, the scenario we've seen both wired and wireless goes like this: We have a vlan ascribed to authentication/Updates only, no internet, nothing but a domain controller login conduit; then we have staff, student, lab vlans, and so forth... The clients perform machine authentication via 802.1x... the machines are placed in the auth only vlan.. then the student staff or user logs in, and is placed in the proper vlan.. the ip address is invalid and for a few moments 10 -15 seconds they get limited or no connectivity until Microsoft retries the dhcp requests... Having one or two SSIDS is king, and when it works, its magic! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 1:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Thanks Mike and Lee, If I could somehow leverage the NASID and SSID as a name-couplet, this would provide the differentiation I need while making provisioning relatively simple (I don't want to have to resort to MAC addresses). The packet data pretty much reflects what I see in the RADIUS logs on the Cisco ACS. It's in the creating of the policy where the wireless rubber meets the road. Much appreciated guys, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, May 22, 2009 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It may be stating the obvious, but if you use AD, you can leverage attributes there to allow/restrict a range of network/WLAN functions... Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 22, 2009 7:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It all depends on: 1. Your Wireless AP / Wireless Controller Implementation 2. Your Radius Server's ability to use policies. Each Radius server returns different information in a RADIUS packet. The Cisco Controllers return the attributes of: CalledStationID 00-00-00-00-00-00:SSID(Where 00-00-00-00-00-00 is the AP's MAC, and SSID is the SSID they are connecting to) CallingStationID 00-00-00-00-00-00 (Where 00-00-00-00-00-00 is the MAC of the laptop) NASIPv4Address 0.0.0.0 (Where 0.0.0.0 is the IP of the Wireless LAN Controller NASIPv6Address - NASIdentifier Controller-Name(Where Controller-Name is the name of the controller as configured in the WebGUI) NASPortType Wireless - IEEE 802.11 NASPort 29 (The port number, I think with LAG ports, it's always 29) The second part of the question, is can your Radius Server deal with this information. I know IDEngines has the concept of policies. I know NPS (IAS for server 2008) also has policies, and I know know FreeRADIUS can pull of some cool matching features. NPS and IDEEngines allows you to create policies that match like firewall rules, and apply based on policy matches. I'm unsure if IAS on 2003 can do this. I'm not sure Steel belted Radius has this functionality. It didn't when I looked at it 4 years ago, but that is a very long time ago in a product lifecycle for a currently shipping product. Mike On Thu, May 21, 2009 at 8:06 PM, Johnson, Bruce T bjohns...@partners.org wrote: Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I'd love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult is this to manage when you have to differentiate by controllers and campus-specific subnets? Can you combine attributes like NAS (controller) IP and device credentials to serve up locally-significant VLANs? Overall, has moving the administrative burden to RADIUS been a net gain in terms of RF cleanliness and client simplicity? Regards all, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate and pass different vlans... just do your research on what the cisco is looking for when passing a vlan.. As an aside, the scenario we've seen both wired and wireless goes like this: We have a vlan ascribed to authentication/Updates only, no internet, nothing but a domain controller login conduit; then we have staff, student, lab vlans, and so forth... The clients perform machine authentication via 802.1x... the machines are placed in the auth only vlan.. then the student staff or user logs in, and is placed in the proper vlan.. the ip address is invalid and for a few moments 10 -15 seconds they get limited or no connectivity until Microsoft retries the dhcp requests... Having one or two SSIDS is king, and when it works, its magic! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 1:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
We are a Brocade (OEM Meru) wireless shop and use MS IAS for radius. You can use the nas-ip-address attribute which is the IP of the controller and the called-station-id which in Meru/IAS land is the Mac of the controller:SSID (unlike Cisco per the posting below where it is the AP mac:SSID - I actually wish we could get the AP Mac). So you may be able to get the NASID either by one of these attributes + the SSID from the called-station-id using wildcard matching. If these are more like fat APs where it will always be the AP's IP or MAC (not the controller's) reported as the NAS then what about if putting all their management IPs into logical groups so you could wildcard match on a portion of the APs Mac? Just another thought. Hope this helps, Greg From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 22, 2009 3:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Thanks Mike and Lee, If I could somehow leverage the NASID and SSID as a name-couplet, this would provide the differentiation I need while making provisioning relatively simple (I don't want to have to resort to MAC addresses). The packet data pretty much reflects what I see in the RADIUS logs on the Cisco ACS. It's in the creating of the policy where the wireless rubber meets the road. Much appreciated guys, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, May 22, 2009 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It may be stating the obvious, but if you use AD, you can leverage attributes there to allow/restrict a range of network/WLAN functions... Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 22, 2009 7:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It all depends on: 1. Your Wireless AP / Wireless Controller Implementation 2. Your Radius Server's ability to use policies. Each Radius server returns different information in a RADIUS packet. The Cisco Controllers return the attributes of: CalledStationID 00-00-00-00-00-00:SSID(Where 00-00-00-00-00-00 is the AP's MAC, and SSID is the SSID they are connecting to) CallingStationID 00-00-00-00-00-00 (Where 00-00-00-00-00-00 is the MAC of the laptop) NASIPv4Address 0.0.0.0 (Where 0.0.0.0 is the IP of the Wireless LAN Controller NASIPv6Address - NASIdentifier Controller-Name(Where Controller-Name is the name of the controller as configured in the WebGUI) NASPortType Wireless - IEEE 802.11 NASPort 29 (The port number, I think with LAG ports, it's always 29) The second part of the question, is can your Radius Server deal with this information. I know IDEngines has the concept of policies. I know NPS (IAS for server 2008) also has policies, and I know know FreeRADIUS can pull of some cool matching features. NPS and IDEEngines allows you to create policies that match like firewall rules, and apply based on policy matches. I'm unsure if IAS on 2003 can do this. I'm not sure Steel belted Radius has this functionality. It didn't when I looked at it 4 years ago, but that is a very long time ago in a product lifecycle for a currently shipping product. Mike On Thu, May 21, 2009 at 8:06 PM, Johnson, Bruce T bjohns...@partners.org wrote: Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I'd love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult is this to manage when you have to differentiate by controllers and campus-specific subnets? Can you combine attributes like NAS (controller) IP and device credentials to serve up locally-significant VLANs? Overall, has moving the administrative burden to RADIUS been a net gain in terms of RF cleanliness and client simplicity? Regards all, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Meru is not consistent about what RADIUS attributes they send when using different authentication methods. This burned us when we tried to restrict users to particular controller and SSID. It worked okay for 1X authentication, but when using Web authentication the called-station-id attribute is not sent to the Radius server. I complained rather loudly that it be a software feature request. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail/MSN: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scholz, Greg Sent: Friday, May 22, 2009 3:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users We are a Brocade (OEM Meru) wireless shop and use MS IAS for radius. You can use the nas-ip-address attribute which is the IP of the controller and the called-station-id which in Meru/IAS land is the Mac of the controller:SSID (unlike Cisco per the posting below where it is the AP mac:SSID - I actually wish we could get the AP Mac). So you may be able to get the NASID either by one of these attributes + the SSID from the called-station-id using wildcard matching. If these are more like fat APs where it will always be the AP's IP or MAC (not the controller's) reported as the NAS then what about if putting all their management IPs into logical groups so you could wildcard match on a portion of the APs Mac? Just another thought. Hope this helps, Greg From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 22, 2009 3:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Thanks Mike and Lee, If I could somehow leverage the NASID and SSID as a name-couplet, this would provide the differentiation I need while making provisioning relatively simple (I don't want to have to resort to MAC addresses). The packet data pretty much reflects what I see in the RADIUS logs on the Cisco ACS. It's in the creating of the policy where the wireless rubber meets the road. Much appreciated guys, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, May 22, 2009 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It may be stating the obvious, but if you use AD, you can leverage attributes there to allow/restrict a range of network/WLAN functions... Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 22, 2009 7:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It all depends on: 1. Your Wireless AP / Wireless Controller Implementation 2. Your Radius Server's ability to use policies. Each Radius server returns different information in a RADIUS packet. The Cisco Controllers return the attributes of: CalledStationID 00-00-00-00-00-00:SSID(Where 00-00-00-00-00-00 is the AP's MAC, and SSID is the SSID they are connecting to) CallingStationID 00-00-00-00-00-00 (Where 00-00-00-00-00-00 is the MAC of the laptop) NASIPv4Address 0.0.0.0 (Where 0.0.0.0 is the IP of the Wireless LAN Controller NASIPv6Address - NASIdentifier Controller-Name(Where Controller-Name is the name of the controller as configured in the WebGUI) NASPortType Wireless - IEEE 802.11 NASPort 29 (The port number, I think with LAG ports, it's always 29) The second part of the question, is can your Radius Server deal with this information. I know IDEngines has the concept of policies. I know NPS (IAS for server 2008) also has policies, and I know know FreeRADIUS can pull of some cool matching features. NPS and IDEEngines allows you to create policies that match like firewall rules, and apply based on policy matches. I'm unsure if IAS on 2003 can do this. I'm not sure Steel belted Radius has this functionality. It didn't when I looked at it 4 years ago, but that is a very long time ago in a product lifecycle for a currently shipping product. Mike On Thu, May 21, 2009 at 8:06 PM, Johnson, Bruce T bjohns...@partners.orgmailto:bjohns...@partners.org wrote: Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I'd love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I'd love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult is this to manage when you have to differentiate by controllers and campus-specific subnets? Can you combine attributes like NAS (controller) IP and device credentials to serve up locally-significant VLANs? Overall, has moving the administrative burden to RADIUS been a net gain in terms of RF cleanliness and client simplicity? Regards all, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate and pass different vlans... just do your research on what the cisco is looking for when passing a vlan.. As an aside, the scenario we've seen both wired and wireless goes like this: We have a vlan ascribed to authentication/Updates only, no internet, nothing but a domain controller login conduit; then we have staff, student, lab vlans, and so forth... The clients perform machine authentication via 802.1x... the machines are placed in the auth only vlan.. then the student staff or user logs in, and is placed in the proper vlan.. the ip address is invalid and for a few moments 10 -15 seconds they get limited or no connectivity until Microsoft retries the dhcp requests... Having one or two SSIDS is king, and when it works, its magic! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 1:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09 186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless
Re: [WIRELESS-LAN] WLAN Deployment-High number of users
Thanks Jason and Mike. Great feedback. We have our Network Security folks administer RADIUS, so I'm trying to gauge operational impact. How much time do you think this adds to the workload? Are there flexible wildcard-match options? Regards, Bruce T. Johnson | Partners Healthcare Network Engineering | 617.726.9662 Pager: 31633 | bjohns...@partners.org 149 13th Street, 10th Fl., 10055B Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Fri May 15 22:28:38 2009 Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users This depends on your implementation. If you don't do Auth vlans, and just do straight vlan switching (like the article I linked) you can be placed on a VLAN based on many things. We use Group membership here. No DHCP delay in that configuration. On Fri, May 15, 2009 at 3:43 PM, Jason Appah jason.ap...@oit.edu wrote: The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan… From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09 186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
vlans -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 10:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
LWAPP does bring significant benefits. Whether they're worth the cost is another matter. 1) Radio Resource Management. The system will figure out how to properly interleave channels and set power levels for minimum interference. It's not 100% perfect, but I wager it's better than almost any human can do and can respond to changing conditions. 2) No more manual firmware updates, configuration back-ups etc. All the AP management is centralized; if one goes down or catches the flu it's all on a central console. 3) Roaming. You can have multiple subnets, one SSID, and when users move from an AP in one subnet to the other, the controller(s) handle the roaming transparently to the user. With autonomous APs the client loses connectivity, has to re-dhcp and all that. Depending on your physical environment this can be a big one. 4) Security, authentication etc. stuff. Downside: unless you can get two controllers, you have a single point of failure: controller goes, and you no longer have a wireless network anywhere. You have two subnet/vlan sizing issues; the subnet presented to the wireless users and the network on which the management interface on the APs sits. Neither should be too big; you want to keep broadcast traffic low on the radio side so that broadcasts don't end up eating up all your air time; you want to keep broadcast traffic low on the wired side because the APs (especially old ones) have some issues with broadcast loads. Because all user traffic is tunneled to the controller, it really doesn't matter what network an AP is on, though, from the wired side as long as it can talk to the controller. Unless you have outdoor coverage from light poles and such or a campus with no wired backbone, I don't see much use for mesh. I'd stay away from multiplying SSIDs. We're using a single SSID university-wide to lessen customer confusion and reduce help desk load. Other factors: 1200-series and 1100-series APs can all be converted from autonomous to LWAPP - investment protection. Past that, if you're looking at having to fork-lift hardware (old vxWorks APs) Aruba is a pretty solid option too at very similar price. -- Toivo Voll Network Administrator Information Technology Communications University of South Florida -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Just to add another on the downside- new Licensing costs. Can be a bit maddening, depending on which solution gets purchased. Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Voll, Toivo Sent: Friday, May 15, 2009 2:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users LWAPP does bring significant benefits. Whether they're worth the cost is another matter. 1) Radio Resource Management. The system will figure out how to properly interleave channels and set power levels for minimum interference. It's not 100% perfect, but I wager it's better than almost any human can do and can respond to changing conditions. 2) No more manual firmware updates, configuration back-ups etc. All the AP management is centralized; if one goes down or catches the flu it's all on a central console. 3) Roaming. You can have multiple subnets, one SSID, and when users move from an AP in one subnet to the other, the controller(s) handle the roaming transparently to the user. With autonomous APs the client loses connectivity, has to re-dhcp and all that. Depending on your physical environment this can be a big one. 4) Security, authentication etc. stuff. Downside: unless you can get two controllers, you have a single point of failure: controller goes, and you no longer have a wireless network anywhere. You have two subnet/vlan sizing issues; the subnet presented to the wireless users and the network on which the management interface on the APs sits. Neither should be too big; you want to keep broadcast traffic low on the radio side so that broadcasts don't end up eating up all your air time; you want to keep broadcast traffic low on the wired side because the APs (especially old ones) have some issues with broadcast loads. Because all user traffic is tunneled to the controller, it really doesn't matter what network an AP is on, though, from the wired side as long as it can talk to the controller. Unless you have outdoor coverage from light poles and such or a campus with no wired backbone, I don't see much use for mesh. I'd stay away from multiplying SSIDs. We're using a single SSID university-wide to lessen customer confusion and reduce help desk load. Other factors: 1200-series and 1100-series APs can all be converted from autonomous to LWAPP - investment protection. Past that, if you're looking at having to fork-lift hardware (old vxWorks APs) Aruba is a pretty solid option too at very similar price. -- Toivo Voll Network Administrator Information Technology Communications University of South Florida -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WLAN Deployment-High number of users
You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e xample09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09 186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e xample09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09 186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate and pass different vlans... just do your research on what the cisco is looking for when passing a vlan.. As an aside, the scenario we've seen both wired and wireless goes like this: We have a vlan ascribed to authentication/Updates only, no internet, nothing but a domain controller login conduit; then we have staff, student, lab vlans, and so forth... The clients perform machine authentication via 802.1x... the machines are placed in the auth only vlan.. then the student staff or user logs in, and is placed in the proper vlan.. the ip address is invalid and for a few moments 10 -15 seconds they get limited or no connectivity until Microsoft retries the dhcp requests... Having one or two SSIDS is king, and when it works, its magic! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 1:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e xample09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN
Re: [WIRELESS-LAN] WLAN Deployment-High number of users
As wisms are doing broadcast suppression, so I don't think large subnet is an issue: http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch2_Arch.html#wp1028269 We have been running /22 subnets on wisms for more than a year and we haven't seen any issues with that. As we are reaching the limit for /22 subnets, we are considering to change to /21 subnets this summer. Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bruce T Johnson bjohns...@partners.org To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Friday, May 15, 2009 4:25:14 PM GMT -05:00 US/Canada Eastern Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan… From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan
Re: [WIRELESS-LAN] WLAN Deployment-High number of users
This depends on your implementation. If you don't do Auth vlans, and just do straight vlan switching (like the article I linked) you can be placed on a VLAN based on many things. We use Group membership here. No DHCP delay in that configuration. On Fri, May 15, 2009 at 3:43 PM, Jason Appah jason.ap...@oit.edu wrote: The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan… *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: wireless-...@listserv.educause.edu] *On Behalf Of *Mike King *Sent:* Friday, May 15, 2009 12:04 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
