Juniper SSG5 Guest and Employee Wifi using EnGenius EAP350

We have a few retail locations that require us to separate WiFi access between employees and retail customers. I would like to have the employees access both the LAN and internet and customers access only the internet. We currently run Juniper SSG5 routers with EnGenius EAP350 wireless APs.

I know that VLAN tagging is the preferred method and the EnGenius supports multiple SSIDs with VLAN tagging, if someone can point me in the right direction on the Juniper setup to accomplish this I would appreciate it.

Current setup with SSG5 is

WAN
ethernet0/0
ethernet0/1

DHCP
192.168.XX.100-149

bgroup0/0
(bind) ethernet0/2-0/6
PMICORPAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
I have a similar setup for my clients. This is how I do it.

I create a new zone in the called wifi-guest.

I then create a new sub interface in the zone wifi-guest with vlantag = 2 and the main interface it is attached to is bgroup0

I then configure DHCP server for the new sub interface.

Finally you can configure the policies to allow traffic to untrust, while denying traffic from wifi-guest to trust zones. (I do allow traffic from trust to wifi-guest in case I need to manage a computer on the guest network.

Hope this helps. Let me know if you need more details.
Thanks!
0
PMICORPAuthor Commented:
This sounds great but not sure exactly where to start, I understand the concept but will need a little more detail as I have tried setting this up multiple times with no success.

If you could give me more details on the setup using the GUI I would appreciate it greatly.

Thanks
0
Sanga CollinsSystems AdminCommented:
- In the gui the first thing you want to do is create the new zone if you have not done so already. This is under

Network > Zones

Here is an example from one of my SSg devices

Name              Virtual Router      Vsys        Default IF       Type
wifi-guest      trust-vr                      Root      bgroup0.1      Security(L3)

- the next step is creating the sub interface. This can be found by going to

Network > Interfaces (List)
click on new sub-interface in the top right corner of the screen

Create a new interface with the following:
* interface name = brgoup0 .1 (use your primary LAN interface. Mine is bgroup0, but you can use eth0/0 or 1. Just depends on what your LAN is bound to
* zone name = wifi-guest
* IP address = 192.168.1.1 / 24
* manage ip = 192.168.1.1
* vlan tag = 2 (or vlan that you have chosen)
* service options = ping (so you can test that the interface is online)

Now you can connect your wifi devices. Please note. The switch that the wifi APs are connected to must support vlan-tags. If not then the tag will get stripped from the packets and you will not be able to connected to the guest wifi. You can test this by plugging and AP directly into the SSG. If you are able to get a DHCP IP from guest wifi, then you know that the switch is where the problem is .
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

PMICORPAuthor Commented:
I have set this up and connected the EnGenius directly to the juniper on ethernet0/2 which is part of bgroup0/0. Now that I have done that it raises a few more questions???

How is this new sub interface going to get an IP if we have not setup a DHCP server for it?

How does it know to direct traffic strictly to the internet?

I will include some screen shots so you can see how I have done the config.
EnGenius EAP350ZoneSub InterfaceSub Interface Detail
0
Sanga CollinsSystems AdminCommented:
1. Sorry, I forgot the part about configuring the DHCP for the subinterface. After it has been created you can go to Networks > DHCP and there will be a new interface (bgroup0.1) that can now have a DHCP server configured.

2. Traffic can only go where security policies allow. The only policy you will really need is Guestwifi > untrust. With this rule guest wifi will only be able to get to the internet and will not be able to get to the LAN. To allow access to LAN, you would have to have GuestWifi > trust policy.

hope that clears it up
0
PMICORPAuthor Commented:
I have configured the DHCP server for bgroup0.1 and when I connect to the SSID with the VLAN tag of 20 it is giving me a DHCP address from bgroup0/0 not 0.1, it seems the tagging is not working or something is wrong with my config.
0
Sanga CollinsSystems AdminCommented:
Is your wireless AP connected to a switch that is then connected to the SSG? If so, then the switch maybe stripping out the VLAN tags. I use DLink and Unifi APs. I have noticed that I have to configure the business wifi as untagged VLAN and the guest wifi as tagged VLAN 20.

For switches, I am either using UBNT poe switch or cisco POE switch. In both I have configured each port in trunk mode with the following operational vlans.

1: untagged member / PVID
20: Tagged member

The best way to test is to plug one access point directly into the juniper and attempt to get on guest wifi. You should se in the juniper home/status page the attempts to reach the DHCP server. If the VLANs are configured correctly in the AP your device will get an IP from the guest wifi sub interface.
0
PMICORPAuthor Commented:
Ok I think we may have this solved, I will just need to do some additional testing to be 100%. It looks like the isolation checkbox is what was eluding me, now it seems the VLAN tagging is working correctly.

To be safe I went with a direct connection to the Juniper before I added another point of frustration, I will post an update shortly after we do some test.


Thanks
0
Sanga CollinsSystems AdminCommented:
good to hear!

Keep us posted if anything else comes up.
0
PMICORPAuthor Commented:
Everything looks good with the current setup. Thanks for all the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.