Assign IP scope based on SSID?

  • 1
  • Question
  • Updated 3 years ago
  • Answered

We've been using AH AP's for about a year now in our school district.  We've been using them in a pretty simple configuration. 
  • 1 SSID (WPA2 Enterprise) for Students to authenticate via Radius (going through our AD) built-in to a AP350 in the building
  • 1 SSID (WPA2 Enterprise) for Staff to authenticate via Radius (going through our AD) built-in to a AP350 in the building
  • 1 SSID (open) network for Guest with AP Firewall policies on the AP's through the HM settings to allow internet access only. 
  • 1 non-broadcasted SSID (WEP) that is only used through deployed settings for district-owned devices with settings on those devices to ensure the password cannot be discovered.
The students have quickly been adapting to using more and more data as its been available to them (shocker!) and it's not coming to the point where more and more has to be done to filter this data, block some, limit others, etc. The difficult point in doing this is now doing it without affecting the other SSID's due to our basic network configuration with the wireless.

We currently have a simple flat network ( subnet.  Our firewall (Sophos UTM) allows a lot of the needed customization to limit users, however it would allow much more if the users weren't all on the same broadcast network.  For example I could set a specific profile that gives certain bandwidth allocation based on users coming from the source network  At the moment this would obviously apply to all users in all of the SSIDs.  

What I ideally want to do is separate the users authentication on each SSID into different IP ranges.  Guests -> 10.10.x.x, Students -> 10.20.x.x, Staff ->10.30.x.x, etc. so I can then modify the traffic profiles on my firewall accordingly.

Again, since this is new here and we've only been using it in a simple configuration, I'm not sure where to begin or what the best method for achieving this would be.  I believe all of this leads into vlans, again not really familiar with that. 

Our DHCP is Windows (Server12).  I know AH can provide DHCP as well as our firewall.  Would it be best to configure all of this through our Windows server? 

I'd appreciate any and all help, thanks!
Photo of NT


  • 2 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Tony Schaps

Tony Schaps

  • 28 Posts
  • 8 Reply Likes
You have four SSID's all going to the same flat network and subnet? How many devices typically on the network? 
On the surface, I'd say you're long overdue to add some VLANs. It's all very simple with Aerohive, from what I have experienced the past month getting to know our network. Going from one LAN to two VLANs is a big step requiring some planning and preparation. Adding additional VLANs after that is relatively easy. Having worked in educational tech for 10 years, I'd advise waiting for summer to implement it. Spring Break is too short a time. 
The nice thing about AeroHive, too, is that if you want you can move down to one SSID and depending on the password used to authenticate, your users will be a placed on the proper VLAN automatically. It works very well. So it doesn't really answer your question, but it makes it outdated.
You can assign VLAN, and therefore the IP scope, all from the password the user has. You set up the scopes on your server, or you might want to use the HM for that. You have options.
But your router needs to be set up to allow all the new subnets access to the Internet, your core switches might need configuration, etc. so you need to get someone who knows this stuff involved. It completely depends on your hardware setup how you will be proceed.

One tip: I have found it very easy to keep the subnets/VLANs straight by number the VLANs along with the IP range. i.e. Guests-> 10.10.x.x on VLAN 10, Students-> 10.20.x.x. on VLAN 20, etc.

Good luck!
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Also! You can collapse your two RADIUS-backed SSIDs into a single SSID and still separate into VLANs based on profile, and WEP should be considered as open as an Open Auth network; WEP can literally be broken in seconds. As Tony says, though, you're going to have to do some significant planning to design your network properly, and the specific steps are going to be based on your switching and routing hardware.
Photo of NT


  • 2 Posts
  • 0 Reply Likes

Thanks for the info.  I was mostly just making sure there was not any built-in way to AH to do this without doing vlans.  I've started planning with that to get it all set up in the coming months.
Photo of Joël Stouwdam

Joël Stouwdam

  • 18 Posts
  • 4 Reply Likes

You always will be in need of a properly build switch/vlan network to accomplish what you want. an advice, regarding to J. Goodnough, build one ssid, multiple ssids and use Radius attributes to redirect the type of user into the right vlan.