Solved

Multiple SSIDs with VLANs

Posted on 2012-03-26
33
3,040 Views
Last Modified: 2012-05-02
I have been tasked with coming up with a cost effective solution to create approximately 50 SSIDs, each on their own VLAN.  Each SSID/VLAN represents a separate tenant in building comprised mainly of of a bunch of single offices.  Each of the tenants in the building is a separate business, hence the need for the VLANs.

I've poked around on the internet for a few hours and didn't see anything terribly obvious.  I also was quoted a very expensive option from a Cicso reseller.

Does anyone have a suggestion or could possibly point me in the right direction?
0
Comment
Question by:SupermanTB
  • 13
  • 8
  • 4
  • +3
33 Comments
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 37765583
as long as you intend to put 50 SSIDs on the system - you would need properly equipment?

But more importantly is to know this:
- How many APs ?
- How many wireless users? (in total, and perhaps per SSID or AP). remember to include PCs, tablets and smart phones in the user count
- What services will run on the wireless?
- How should users authenticate? PSK? 802.1X?

Most APs/Controllers have support for at least 64 SSID, and VLANs ...
but the most important factor in wireless is having enough bandwidth and performance for all services for all users ...
0
 

Author Comment

by:SupermanTB
ID: 37765604
I would say approximatley 12 access points.  Normally 1 user per VLAN, but possibly 2 in some cases.  I am only concerned with providing access to the internet for standard stuff like email, web browsing, etc.  I have some flexibility on how the users authenticate, but my initial thoughts were PSK.

These users are doing very simple stuff.  In most cases, it will be just a single user and their laptop.  They'll be primarily browsing the internet, checking email and nothing more than that.  

I will be providing ample bandwidth to accomodate the needs of these users.

Thanks again for your help.
0
 
LVL 7

Expert Comment

by:peea
ID: 37765622
It seems DD-WRT may support separate WLANs with individual SSID but I am wondering if you have powerful enough hardware to support 50 SSIDs.

http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

However, using several DD-WRT capable wireless routers may allow you to built totally 50 wireless VLANs.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 37765806
Not sure if doing it that way is very efficient as for throughput ... have never had the need of adding so many SSIDs before though ...

Not sure if this would be a technically (or from other requirements) usable solution, but if not, maybe you can go into details a bit more if not:
How about putting in decent APs that allows for user isolation, with controller in the back. That way, you won't really need separate VLANs, as even on the same SSIDs, users will not be able to reach each other directly. As long as all you need is routing towards the Internet, why go through all the trouble with the VLANs? Alternatively, you could even put in a Hotspot solution (like e.g. CoovaChilli) as a backend, allowing the tenants to connect, with documentation in case you need documentation which tenant did anything illegal ...
0
 

Author Comment

by:SupermanTB
ID: 37765904
The VLAN was just my intuitive solution.  I definitely don't have to do that.  I only need to separate the users and give them access to the internet.  Do you have any particular equipment in mind that would handle the solution you mention regarding the APs/user isolation with a controller in the back?
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 37765960
One possible solution would be based on Cisco Aironet APs and a controller ... with 12 APs, you could go with the smallest WLAN-Controller, I'd have to look up how many APs their license supports out of the box ...

Also, depending on the switch used you could also use a controller-less solution if your Switch supports isolation ... that way, you could get bye with just handing out IPs from some central DHCP server (could be a firewall, too) and route everything towards the internet ...

Do your users need/want fixed routeable IPs? If so, what do you plan to do as far as security goes? Will they take care of themselves, or would they want some Firewall/IDS in front?
0
 

Author Comment

by:SupermanTB
ID: 37766036
OK, so for the AP/Controller solution, I can't say that I'm extremely familiar with the concept of a WLAN-Controller.  It appears it is a box that controls all the settings, etc for the APs?  I wouldn't think that WLAN-Controller would handle the DHCP, firewall, internet settings, etc, so I would need a separate device for that?  I typically use SonicWall appliances, so would I plug the internet into that and the SonicWall would feed into the WLAN-Controller which would then manage all the APs?  Just trying to make sure I understand the infrastructure behind this option.

Regarding the network switch with isolation, this solution sounds simpler, which I like, but I'm not sure I understand the isolation part.  I get that I could use a switch to separate each AP into a separate VLAN, but I don't see how I could do more than that.  If you could enlighten me, I would appreciate it.  

My users do not need fixed routeable IPs.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 37766067
Controller-based solutions (at least for Cisco) means that you have a central point which controls all the WLAN APs, takes care of all associations/authentication, but also handles all the traffic ... each "lightweight" AP transports all of its traffic to the controller via a tunnel, which then takes care of the rest ...

The isolation is like the "UNI"-ports on metro switches from Cisco - anything coming in on one of those ports will only be allowed to be transported to non-isolated ports, but never to any other isolated port (not sure I'm using the exact terminology though ;) ). The access points (at least Cisco) can be configured to do the same thing, with multiple physical or vlan ports that can be configured to this "isolated" state ... then, the uplink would not be isolated, but would on the switch side ...
0
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 500 total points
ID: 37767529
looks like there's been a lot of action here since I left work :-)

As Garry says - with 12 APs - nothing but controllerbased network should be considered. When configuring APs, SSIDs, VLANs, Security and monitoring APs and SSIDs it's all done once - for all APs. Otherwise - you need to do the same steps 12 times for all 12 APs.

WHen it comes to security: Do they really need to be on separate networks? Without VLANs you are susceptible to layer 2 attacks - so client isolation isn't 100% - but a good way to start.

I'd recommend Aruan MBC 650 controller - with AP-105 access point - and configure this with both PSK and Captive Portal (a web based login for all users) with different usernames and password, and different roles. You could also put users in different VLANs based on usernames and passwords as well --- much smoother than 50 SSIDs

But generally - Do they really need separation among users?+
0
 

Author Comment

by:SupermanTB
ID: 37767790
Thanks for all the comments everyone.  

Jakob, your solution sounds the smoothest.  I'm guessing you meant Aruba MBC 650 instead of Aruan?  

The users definitely need to be separated as they are completely different businesses.  This separation was at the top of the list in terms of requirements of this solution.  Can the Aruba equipment you describe handle the 50 VLAN?  Also, you mention that I can separate according to username/pwd as opposed to SSID.  I like that solution much better.  Can you tell me how that would work?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 37772339
You can do this using Cisco IOS APs (so no controller) and RADIUS using one SSID if you really want to.  This makes configuration exactly the same on the APs, and you can use something like Microsoft's Active Directory and NPS/IAS to control network access and assign the VLAN ID per customer.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 37772354
Or run something like CoovaChilli Hotspot-Software, which would allow you (or the tenants) to dynamically add guest accounts that are e.g. valid for the day or an hour or something ...
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 37780450
sorry --- I've been away for some days.
The Aruba equipment could support this yes. As CraigBeck says you can use AD with NPS/IAS to handle VLANs dependent on group membership, or use Aruba Controller and create different user accounts for different users. With Aruba you can create a Captive Portal (Web Page) for login and create different users and which VLAN they should belong to (See attached image ...

UserRoles and VLAN
0
 

Author Comment

by:SupermanTB
ID: 37804227
Hey everyone.  Sorry for the delay.  I've never used NPS to control network access and assign VLANs like you're suggesting.  Is that simple to setup?  It also brings an additional expense, as I would have to integrate a server into the network.  

I'm leaning towards the controller model.  I see Jakob speaking about a Captive Portal  (Web Page) for user login.  Would the users have to login say each morning?  While this type of thing might work great for guest access, it will likely get annoying for the tenants.

Garry-G....with the architecture look like with the CoovaChilli solution.  Will I still need a wireless controller?  Do I need a separate device to run the CoovaChilli software?

Thanks everyone!
0
 
LVL 10

Expert Comment

by:ampranti
ID: 37805040
If you go with Cisco, you can avoid lot of configuration:

12 APs , managed centrally by two controllers (for redundancy) + ISE controller
You will have only one SSID. When client associate will get get permission and vlan according to domain permissions
Also, you will have guest functionality.

Cisco ISE appliance (runs also in VM) here:
http://www.cisco.com/en/US/products/ps11640/index.html

If you dont want ISE, you can get the 12 AP plus the controller. You will avoid configuring AP one by one, and when you make changes you will apply automatically to all (avoiding mistakes and forgotten AP).
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 37823204
Aruba is equally easy to configure --
If you use Captive Portal they would need to log in every day.

But you can also create users in the integrated user database, assign different roles and VLANs to each user, and set Wireless Settings on clients to connect using EAP-MsChap V2 and user authentication
(EAP-MsChap V2 uses usernames and passwords)
Then you'd avoid the entire NPS as well - and it is integrated into the Aruba Controller - requiring only the PEFNG firewall license
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:SupermanTB
ID: 37824451
I would like to keep things as simple as possible for both me and the users.  Jackob, your solutions appears the most simple.  With the EAP-MsChap suggestion you mention w/ having the user info stored in a database, would that prevent the requirement to sign on everyday?
0
 
LVL 10

Expert Comment

by:ampranti
ID: 37824477
I dont think that is a very secure solution.... Prefer WPA2-Enterprise with a certificate.

If you want guest access, you can use mikrotik hostspot functionality
www.mikrotik.com
0
 

Author Comment

by:SupermanTB
ID: 37824494
So the users will have to have a certificate installed on their computer in order to access the network?
0
 
LVL 10

Expert Comment

by:ampranti
ID: 37824538
When new users want to access wireless network, will visit IT to get a ceritificate.
This way you manage which devices will connect to network (for example you may allow only laptops and not any device that support eap-mschap authenticaiton!)

You can also auto distribute it through your Active Directory.

You can have a different ssid/vlan with limited access for users with mobile device. Maybe you dont want users to carry data sensitive (and expensive) data with their portable device.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 37825224
Of course EAP-MsChap V2 is secure --- 10times more secure than PSKs are.
But of course not as secure as deploying machine AND user authentication based on certificates. But providing you wanted to keep this simple, then EAP-MsChap using usernames and password is the easiest way to deploy this.
With EAP-MsChap V2 (still deploying WPA2-Enterprise) all users have different, unique, randomly generated and time limited encryption keys - So there is no way any equipment these days that can crack the encryption.

Yes - users will log in to the wireless automatically, once client authentication is set up.

If you - however - need to deploy certiicate based authentication, you need to deploy the following server roles, preferably on at least 2 servers:
- AD CS
- Network Policy Server (co-located with AD CS role)
- Certificate server

Then you need to deploy a RAS/IAS certificate to NPS server and create, and enroll for user certificates (or machine certificates if you want to give access to only users that have machine AND user certificates) for all users you want to give access to. And then export and install all client (user or machine certificates) to all computers you want to give access to - and also install your AD root certificate to users computers - so they can trust your NPS .. sounds like work you do npt want for computers not joined to your AD....
All of this is easy peasy lemon squeezy if all users and computers are domain joined. A lot of hassle if they're not ... It's not just enrolling certs - it's maintaining them as well ...
0
 

Author Comment

by:SupermanTB
ID: 37827961
It looks like I've got two options here

1.  Ampranti:  using digital certificates.  This presents the problems Jakob mentioned in his last post.  These computers will definitely not be joined to the same domain, which presents problems.  

2.  Jakob:  simple, but this solution will require the users to login each morning to the internet connection.  

I'm OK with the security level of the PSK vs. the digital certificate.  I understand the difference between the two and for this situation, the PSK will be just fine.  

Jakob, is there a way to utilize your solution without having to have the users login each day?
0
 
LVL 10

Expert Comment

by:ampranti
ID: 37828189
PCs may join the same domain if you want... Depends on what you want to do & how you want to separate access
0
 

Author Comment

by:SupermanTB
ID: 37828236
I definitely do not want these PCs joining the domain.  They are completely separate businesses and tenants.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 37828274
EAP-MsChap V2 is not based on PSK - it's based on usernames and passwords from some kind of database, in my suggestion - the database in Aruba Controller.
With EAP-MsChap V2 users do not need to login in everyday - but you need to configure wireless setings on clients to use Eap-MsChap as authentication - but remove the check mark on "Use Windows Login Credentials" - that way users will enter username and password the first time they connect to the network. The next times it will remenber uid/pwd

Some tips on configuring clients here: http://www.jmu.edu/computing/desktop/wireless/wm_library/OfficialWireless-Windows7.pdf
0
 

Author Comment

by:SupermanTB
ID: 37828363
Very nice.  I will be calling the folks at Aruba today to investigate pricing.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 37829561
There should be a timeout associated with EAP-MSChapV2, so the login will be required each time the client tries to authenticate to the AP.  This means the client will need to enter their username/password every time the laptop is turned on.  If you use MS Active Directory usernames you can and generally should use the Windows Login Credentials so that the login box doesn't pop-up unnecessarily.
0
 

Author Comment

by:SupermanTB
ID: 37834998
MS Active Directory is just not an option b/c the computers will not be joining a domain.  

Jakob, is this true regarding the timeout/login for EAP-MSChapV2?
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 37835013
I'm using MsChap for some customers without needing to login more than once - the first time
0
 

Author Comment

by:SupermanTB
ID: 37835026
Interesting.  I should be getting a call back from the engineers at Aruba next week.  I'll be sure to bring this up with them.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 37835090
I was going to say....

The computers don't have to be on a domain to use AD... at the end of the day it is just a directory of users.

It all depends on how you ultimately decide you want the business users to authenticate.  There are lots of ways, but you need to decide how each business will connect to the WLAN.

In all honesty the way I would do it would be totally dependant on cost.  If you plan to give each business their own wireless bridge the solution could be pretty simple.  The problem comes when you want to secure each connection by username/password on an ad-hoc basis (per client device).

If you use a Cisco solution you can do this a couple of ways:
One way is to use Mesh APs and assign a VLAN ID per bridge.  This is slightly complicated to implement but would work for as many clients devices per business as you want.
The other way would be to use standard access points and configure each business AP as a workgroup-bridge.  This limits your client devices per business to 255, but I doubt that'd be a problem.

Alternatively, if cost is an issue and you can't afford to provide a bridge per business you could use PEAP.
A 3rd Party certificate can be installed on a RADIUS server and linked to MS AD.  On the AD you create a username/password for each business and configure the AP to authenticate against the RADIUS.  The RADIUS will tell the AP which VLAN to put the client on based on its login.

Most of the WLAN kit aimed at the Enterprise will be able to do this stuff, so vendor isn't really important.  I know 1000% Cisco kit will do this as I've done it before for a major sporting event in the UK, amongst other projects.

...but at this point...

Jakob, is this true regarding the timeout/login for EAP-MSChapV2?

...I think I'll leave you in Jakob's capable hands!
0
 

Author Comment

by:SupermanTB
ID: 37921537
I must have mistakenly closed this question with no points being awarded.  Not sure how I did that. I don't see how I can prevent it from being closed.  I apologize.  The help was great.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 37921549
looks like it all worked out :-)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now