Juniper SSG5 Guest and Employee Wifi using EnGenius EAP350
We have a few retail locations that require us to separate WiFi access between employees and retail customers. I would like to have the employees access both the LAN and internet and customers access only the internet. We currently run Juniper SSG5 routers with EnGenius EAP350 wireless APs.
I know that VLAN tagging is the preferred method and the EnGenius supports multiple SSIDs with VLAN tagging, if someone can point me in the right direction on the Juniper setup to accomplish this I would appreciate it.
Current setup with SSG5 is
WAN
ethernet0/0
ethernet0/1
DHCP
192.168.XX.100-149
bgroup0/0
(bind) ethernet0/2-0/6
I know that VLAN tagging is the preferred method and the EnGenius supports multiple SSIDs with VLAN tagging, if someone can point me in the right direction on the Juniper setup to accomplish this I would appreciate it.
Current setup with SSG5 is
WAN
ethernet0/0
ethernet0/1
DHCP
192.168.XX.100-149
bgroup0/0
(bind) ethernet0/2-0/6
ASKER
This sounds great but not sure exactly where to start, I understand the concept but will need a little more detail as I have tried setting this up multiple times with no success.
If you could give me more details on the setup using the GUI I would appreciate it greatly.
Thanks
If you could give me more details on the setup using the GUI I would appreciate it greatly.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have set this up and connected the EnGenius directly to the juniper on ethernet0/2 which is part of bgroup0/0. Now that I have done that it raises a few more questions???
How is this new sub interface going to get an IP if we have not setup a DHCP server for it?
How does it know to direct traffic strictly to the internet?
I will include some screen shots so you can see how I have done the config.
How is this new sub interface going to get an IP if we have not setup a DHCP server for it?
How does it know to direct traffic strictly to the internet?
I will include some screen shots so you can see how I have done the config.
1. Sorry, I forgot the part about configuring the DHCP for the subinterface. After it has been created you can go to Networks > DHCP and there will be a new interface (bgroup0.1) that can now have a DHCP server configured.
2. Traffic can only go where security policies allow. The only policy you will really need is Guestwifi > untrust. With this rule guest wifi will only be able to get to the internet and will not be able to get to the LAN. To allow access to LAN, you would have to have GuestWifi > trust policy.
hope that clears it up
2. Traffic can only go where security policies allow. The only policy you will really need is Guestwifi > untrust. With this rule guest wifi will only be able to get to the internet and will not be able to get to the LAN. To allow access to LAN, you would have to have GuestWifi > trust policy.
hope that clears it up
ASKER
I have configured the DHCP server for bgroup0.1 and when I connect to the SSID with the VLAN tag of 20 it is giving me a DHCP address from bgroup0/0 not 0.1, it seems the tagging is not working or something is wrong with my config.
Is your wireless AP connected to a switch that is then connected to the SSG? If so, then the switch maybe stripping out the VLAN tags. I use DLink and Unifi APs. I have noticed that I have to configure the business wifi as untagged VLAN and the guest wifi as tagged VLAN 20.
For switches, I am either using UBNT poe switch or cisco POE switch. In both I have configured each port in trunk mode with the following operational vlans.
1: untagged member / PVID
20: Tagged member
The best way to test is to plug one access point directly into the juniper and attempt to get on guest wifi. You should se in the juniper home/status page the attempts to reach the DHCP server. If the VLANs are configured correctly in the AP your device will get an IP from the guest wifi sub interface.
For switches, I am either using UBNT poe switch or cisco POE switch. In both I have configured each port in trunk mode with the following operational vlans.
1: untagged member / PVID
20: Tagged member
The best way to test is to plug one access point directly into the juniper and attempt to get on guest wifi. You should se in the juniper home/status page the attempts to reach the DHCP server. If the VLANs are configured correctly in the AP your device will get an IP from the guest wifi sub interface.
ASKER
Ok I think we may have this solved, I will just need to do some additional testing to be 100%. It looks like the isolation checkbox is what was eluding me, now it seems the VLAN tagging is working correctly.
To be safe I went with a direct connection to the Juniper before I added another point of frustration, I will post an update shortly after we do some test.
Thanks
To be safe I went with a direct connection to the Juniper before I added another point of frustration, I will post an update shortly after we do some test.
Thanks
good to hear!
Keep us posted if anything else comes up.
Keep us posted if anything else comes up.
ASKER
Everything looks good with the current setup. Thanks for all the help!
I create a new zone in the called wifi-guest.
I then create a new sub interface in the zone wifi-guest with vlantag = 2 and the main interface it is attached to is bgroup0
I then configure DHCP server for the new sub interface.
Finally you can configure the policies to allow traffic to untrust, while denying traffic from wifi-guest to trust zones. (I do allow traffic from trust to wifi-guest in case I need to manage a computer on the guest network.
Hope this helps. Let me know if you need more details.
Thanks!