Thanks Mike and Lee,
If I could somehow leverage the NASID and SSID as a name-couplet, this would provide the differentiation I need while making provisioning relatively simple (I don't want to have to resort to MAC addresses). The packet data pretty much reflects what I see in the RADIUS logs on the Cisco ACS. It's in the creating of the policy where the wireless rubber meets the road. Much appreciated guys, --Bruce Johnson ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, May 22, 2009 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It may be stating the obvious, but if you use AD, you can leverage attributes there to allow/restrict a range of network/WLAN functions... Lee ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 22, 2009 7:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It all depends on: 1. Your Wireless AP / Wireless Controller Implementation 2. Your Radius Server's ability to use policies. Each Radius server returns different information in a RADIUS packet. The Cisco Controllers return the attributes of: CalledStationID 00-00-00-00-00-00:SSID (Where 00-00-00-00-00-00 is the AP's MAC, and SSID is the SSID they are connecting to) CallingStationID 00-00-00-00-00-00 (Where 00-00-00-00-00-00 is the MAC of the laptop) NASIPv4Address 0.0.0.0 (Where 0.0.0.0 is the IP of the Wireless LAN Controller NASIPv6Address - NASIdentifier Controller-Name (Where Controller-Name is the name of the controller as configured in the WebGUI) NASPortType Wireless - IEEE 802.11 NASPort 29 (The port number, I think with LAG ports, it's always 29) The second part of the question, is can your Radius Server deal with this information. I know IDEngines has the concept of policies. I know NPS (IAS for server 2008) also has policies, and I know know FreeRADIUS can pull of some cool matching features. NPS and IDEEngines allows you to create policies that match like firewall rules, and apply based on policy matches. I'm unsure if IAS on 2003 can do this. I'm not sure Steel belted Radius has this functionality. It didn't when I looked at it 4 years ago, but that is a very long time ago in a product lifecycle for a currently shipping product. Mike On Thu, May 21, 2009 at 8:06 PM, Johnson, Bruce T <bjohns...@partners.org> wrote: Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I'd love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult is this to manage when you have to differentiate by controllers and campus-specific subnets? Can you combine attributes like NAS (controller) IP and device credentials to serve up locally-significant VLANs? Overall, has moving the administrative burden to RADIUS been a net gain in terms of RF cleanliness and client simplicity? Regards all, --Bruce Johnson ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate and pass different vlans... just do your research on what the cisco is looking for when passing a vlan.. As an aside, the scenario we've seen both wired and wireless goes like this: We have a vlan ascribed to authentication/Updates only, no internet, nothing but a domain controller login conduit; then we have staff, student, lab vlans, and so forth... The clients perform machine authentication via 802.1x... the machines are placed in the auth only vlan.. then the student staff or user logs in, and is placed in the proper vlan.. the ip address is invalid and for a few moments 10 -15 seconds they get "limited or no connectivity" until Microsoft retries the dhcp requests... Having one or two SSIDS is king, and when it works, its magic! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 1:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize "Vlan Override". http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09 186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah <jason.ap...@oit.edu> wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network & Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
