AP330 - How do I assign different user profiles to eth0 and eth1, without vlan-aware switches?

  • 1
  • Question
  • Updated 4 years ago
  • Answered

My situation : branch with WAN link and separate internet link, want to configure an AP330 so that management and corporate users traverse the WAN link (eth0), and guest users traverse the internet only link (eth1).  The branch has an unmanaged switch connected to eth0, eth1 is connected directly to an internet router on a separate link, not connected to the corporate WAN at all.

Corporate device authentication is via certificates and Radius (MS NPS), corporate user auth for non domain joined devices is via AD credentials (gets the guest user profile), and guest auth is via 1 or 7 day ppsk.

I've attempted this with it in AP mode, and auth works for both user profiles, but dhcp discover on the guest ssid goes unanswered (the internet router is doing dhcp). 

I've tried it in router mode, and auth still works in both user profiles, but this time guest gets dhcp ok, but corporate does not (corporate dhcp server in the data center).  Management works fine in both situations.  If I enable dhcp on the network assigned to the vlan assigned to the corp user profile, then corp users get an ip from this pool, and can access network resources, but nothing on the network can talk to them (as the rest of the network doesn't know how to route to that ip range).


I'm sure I'm missing something simple, but am really interested in how this SHOULD be set up, and happy to start from scratch to achieve it if required.


Photo of Nigel

Nigel

  • 2 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Bill Lundgren

Bill Lundgren, Employee

  • 21 Posts
  • 12 Reply Likes
Hi Nigel,

Am I correct in that you simple want your corporate traffic to ingress/egress the AP out ETH0, while anyone connecting to the Guest SSID uses ETH1?  What version of HiveManager/HiveOS are you using?
Photo of Nigel

Nigel

  • 2 Posts
  • 0 Reply Likes

Hi Bill,

That's correct, and I've managed to make it work, by setting the native and allowed vlan on eth1 to 1, setting eth0 to a different native vlan, and allowing 2-4094, then assigning vlan 1 to the "Multiple Network Default Routing" setting, under Routing in the AP config.  All is now working as I want it :)  My HM and AP's are running version 6.1r6a, for reference.