Solved

Getting MSM765zl in HP5412zl working for a guest SSID, secure guest SSID, and secure SSID

Posted on 2012-04-10
10
3,040 Views
Last Modified: 2012-06-27
GOAL:  To create (3) SSIDs as follows-
1) a guest VSC that will strictly give it access to the internet out of our default gateway (on a separate subnet preferably),
2) a secure guest VSC for employee's smartphones & non-AD based devices that will give them access to internal services and internet, but not require AD authentication (on a separate subnet preferably), and
3) a secure VSC that will allow devices that can authenticate to AD to have all the same functionality as wired devices (along with connecting on the same subnet as the wired devices)

Our configuration consists of
-a HP5412zl switch (10.10.2.50) w/a MSM765zl module (10.10.2.9) installed in Slot J (attached to the switch are 2 MSM460s and 1 MSM317).  This switch is the core switch for our main user subnet (10.10.2.0/24)  DEFAULT GATEWAY 10.10.2.1  Routing is enabled
-The MSM765zl is setup and operational, albeit with one subnet connecting through the LAN port and the INTERNET port set for just VLAN, i.e. not in use.  
-(4) subnets managed by a Cisco ASA5550.  
----One port is the main user subnet that houses all Windows servers, workstations, and user devices (10.10.2.0/24)
----One port hosts our management interface (10.10.5.0/24)
----One port hosts our voice services (10.10.20.0/24)
----One port connects to our DS3 internet connection
----The VPN virtual subnet on the ASA is (10.10.10.0/24)
-Currently, there are no VLAN configurations in place
-There is one 2008 R2 AD forest controlled by (2) virtual servers connected to the 10.10.2.0 subnet through the HP5412zl switch.
-Primary DNS and DHCP are hosted on one of the DCs - 10.10.2.42

We are looking for a configuration that can work within this configuration, using the DHCP server on 10.10.2.42 (and the MSM765 DHCP server for the guest, if needed).  

We tried using both ports on the MSM765 to enable the multiple subnets with no success.  Trying to get the additional subnet to route properly, and to hand out its subnet's addresses (from a separate scope setup on the AD DHCP Server) also ended with no success.   Scouring through the HP examples have only got us throwing our hands up higher.  

Our current MSM & 5412 configs are attached.

Any assistance is appreciated.
MSM765Cfg.txt
HP5412zlCfg.txt
0
Comment
Question by:mrsimonsez
  • 5
  • 4
10 Comments
 
LVL 18

Expert Comment

by:Don S.
ID: 37830246
You should probably be using only the internet port.  Trying to use both ports will make for confusion and using the LAN port only will not allow you to use the guest services web page to allow geusts to access their SSID.  You will need to setup the non-authenticating internal users with WPA-PSK and enter the key into each device.  the internal users can be setup to use certificates and a radius server to authenticate back to the MSM.  You will set the egress Vlan on both the authenticated and non-authenticated VSCs to be your internal LAN VLAN.  Other than authentication, traffic will flow directly from the access points to the VLAN.  As for guest access, that will flow through the MSM for both authentication and traffic.  You do this by checking the the always use client tunnel box in the guest VSC.  Work on getting the authenticated and non-authenticated VSCs working correctly first.  then work on the guest VSC.
0
 

Author Comment

by:mrsimonsez
ID: 37834183
Thank you Dons6718.  We did attempt the Internet Port first, simulating it as a standalone wireless router.  However, that did not work, preventing any devices from getting beyond the controller.   And, the DHCP from the AD controller did not hand out from the correct scope of the different subnet.  

We have 2 challenges with this route -
1) These ports are essentially virtual, as this is a module within the 5412zl switch.
2) The goal of setting up a separate subnet in an environment that mimicks a standalone wireless router, does not take into factor that there is an internal hop (10.10.2.0) that guest access users should not have access to.  These users, however, would share the same default gateway of 192.168.2.1 (I guess we could try to attach multiple IP addresses to that A1 port on the HP switch that connects to the internet gateway on the ASA router.  

P.S. I did fail to mention that we do have a Palo Alto 2020 Content monitor in-line between the A1 port on the HP5412zl switch and the ASA5550 firewall router.

Thanks again.
0
 
LVL 5

Expert Comment

by:RikeR
ID: 37841299
0
 
LVL 18

Expert Comment

by:Don S.
ID: 37846430
You don't really use the msm as a router. You just use it to decide which vlan to send the traffic to.  That means you should have a guest wired vlan setup already that has all the needed dhcp, dns, and routing.  Test the wired version first and get it wotking right, then setup the msm to authenticate your guests and push them on to you wired guest vlan.  I've found routing and dhcp services in the msm to be a real pain.
0
 

Author Comment

by:mrsimonsez
ID: 37906611
Apologies for not getting back sooner, as I do appreciate your responses.   So, to confirm, your recommendation is to configure a guest wired VLAN on the HP 5412zl, that will point its DHCP requests to the AD server, asking for the VLAN specific subnet?   Then, on the guest wireless VSC, we would configure its egress to this VLAN instead of normal?

This would mean that we leave the Internet port on the MSM765 as none/use for VLAN,  and for the VSC, we tell it to use the DHCP relay service?

At the same time, I gather that we would leave routing on the HP5412zl enabled, setup the guest VLAN with an IP address assigned to it for the that VLAN's subnet, and set the default gateway to point to our edge device.  Would that default gateway for that VLAN be the 10.10.2.1, or would I need to assign an additional IP address to one of the ports on the 5412 to act as the exit point for the guest VLAN?

Thanks again.
0
 
LVL 18

Expert Comment

by:Don S.
ID: 37907950
Actually, you wouldn't want to route anything in switch or MSM, you'd leave the routing to your edge router.  Your edge router would need to know about both your internal VLAN and the Guest VLAN.  You could server DHCP either from the wired Guest VLAN or the MSM.  Setting up DHCP on the MSM without having it server DHCP to all Vlans is a bit tricky - which is why I decided not to do it that way.
0
 

Author Comment

by:mrsimonsez
ID: 37909260
So, you have NO ROUTING set on your HP5412zl?

Do you have an example of how you setup the VLAN configuration perchance?

Thanks again.
0
 
LVL 18

Expert Comment

by:Don S.
ID: 37910640
I look at Vlans as the way to segregate traffic and routers as the way to direct traffic.  Usually the reason to segregate traffic is for security or class of service reasons so doing unilateral routing pretty much defeats my primary purposes for vlans in the frist place.  I find that true routers are easier to configure to achieve my purposes of only allowing certain traffic between Vlans.  The guest network is the perfect example of not allowing any traffic on to your internal lan(s) and only allowing it access out to the Internet.  You could use the MSM to do routing or the Switch with ACLs configured if you would like, I just find it easier to concentrate the routing on either a main router or the edge router (assuming the edge router/firewall can handle multiple Vlans).

Are you asking about setting the Vlans on the switch?
0
 

Author Comment

by:mrsimonsez
ID: 37912454
That makes great sense, and your logic of pushing the actual routing processes to the edge sounds right up my alley!   So, yes, would you perchance have a sample of the config to handle the VLAN configuration on the HP Switch & the MSM module?

Thanks again.  I think the light is turning on now.
0
 
LVL 18

Accepted Solution

by:
Don S. earned 500 total points
ID: 37913011
pretty simple really.  You just define the vlans in the switch, set each port to untagged on the vlan the computer connected to needs to be on.  Then, any ports that connect to other switches would be set to tagged for all vlans as well as the remote switch connecting port set to tagged for all vlans.  The edge router/firewall would connect to a port that has all vlans tagged as well.  The MSM would have each vlan defined with the appropriate vlan number, then you create a VSC for each vlan and bind the VSC to the corresponding egress Vlan.
0

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now