Assigning differents subnet for differnets SSID on the same VLAN

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi all !
I'm deploying a hive with 8 AP121. 2 SSIDs (1 for guests, open, 1 for corporate users, with PSK) both on the same VLAN.
What i'd like to do :
Guests connect to SSID guest, and are assigned a subnet like 10.10.1.0
Corporates connect to SSID Corp and are assignes an other subnet 10.10.2.0
The 2 scopes are defined on my DHCP server.

Today, guests SSID works well, clients are assigned IP on the 10.10.1.0 subnet, but Corp users (connected to the Corp SSID) also get a 10.10.1.0 IP .......

Any ideas ?

Thx
Photo of OliveSico

OliveSico

  • 5 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Corp and Guest users should have different User Profiles with different default VLAN assignments.
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
You can only use one DHCP scope per VLAN.

Think about it: to receive an IP address via DHCP, the clients sends a DHCP request as Layer-2 broadcast. This is being picked up by any DHCP server inside that VLAN (= broadcast domain = layer-2 domain), and the one that is faster wins :-) So even if you have a secondary IP address configured on your Router, from a different subnet, it won't work.

You do have to configure a different VLAN for your Corp users.
Photo of OliveSico

OliveSico

  • 5 Posts
  • 0 Reply Likes
Ok, thanks guys !
That's clear for me now.
I've just set up my procurves with another vlan for the second ssid, it works perfectly.

Thanks again
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Just wanted to chime in and agree with the others here to say that it is particularly bad practice in most deployment scenarios to have different subnets in the same broadcast domain (VLAN) for client access.
Photo of OliveSico

OliveSico

  • 5 Posts
  • 0 Reply Likes
Ok, now my 2 ssids work fine.
The guests one, open, allows only acces to the internet.
The corp one, with ppsk, allow acces to company ressources.
I've read it's possible to avoid BYODs to connect to the corp ssid, using the Client Classification Policy. I set up some rules to avoid Android, iDevices, and so on, to connect to the corp ssid, and switch to the guest ssid.
But they still can. What did I do wrong ?
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
To be clear: With client classification you cannot avoid clients to connect, as this mechanism happens after a client is connect.

What you can do is to re-assign a different user profile (you cannot push them to a different SSID!).

First, in that little Wizard where you select user pofiles, make sure you have "Enable user profile reassignment based on client classification rules" checked.

Now you have two options:

1. Use a user profile that has the same (corp) vlan link and configure the firewall policies respectively. Clients will still be able to connect to your corp ssid and be in the same vlan, but if you set the policies for "guest only" access, or even to block anything, it should be sufficient for you.

2. Use your guest user profile, which has your guest vlan linked.
Now, this is a bit tricky, as it means that this mechanism has to grip before your clients get an IP address assigned.
- Make sure you match on OS object only
- In your network policy, make sure that under Additional settings, service settings, management options you have "DHCP option 55" selected as client OS detection method.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you want to use Client Classification to deassociate clients, say not letting Android and iOS devices onto a specific WLAN, it can be done using schedules.  Just create a schedule that can never be valid, say 1/1/01 00:00 to 1/1/01 00:01, and assign it to a user profile called "Deassociate_Client", for example.  Now in the user profile that the iOS and Android devices are currently being assigned to post authentication create client classifier rules assigning iOS and Android devices to the "Deassociate_Client" user profile.   The default "Deny Action for Schedule" rule for wireless clients associating to a user profile is "No Association" so when the iOS and/or Android devices are matched into the "Deassociate_Client" user profile they lose their association.

Sneaky but it works.
(Edited)
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Neat trick! :-)
Photo of Rick Bassett

Rick Bassett

  • 1 Post
  • 0 Reply Likes
OliveSico, How did you configure your ProCurves. I am setting up a similar config as you. I think the Hive setup is correct, but The Procurve setup eludes me.
Photo of OliveSico

OliveSico

  • 5 Posts
  • 0 Reply Likes
Hi all, and thanks for your help.
Now the deal has change, i had to use a Radius NPS server to authenticate the AD users on the Corp SSID (the guest one remains open).
So a new issue has come, regarding the non-windows devices (personnal or pro phones android or iOS).
I setup Client Classification rules that switch any devices connected to Corp SSID to the guest one, and only some devices (filtred by MAC address) can still access the LAN.
As said in an ather topic, i know the user but not the device.
Is there a way to build a list of such MAC address devices to allow them to connect to the Copr SSID, to use in the client classification ?