How to choose from multiple VLAN at authentication

  • 1
  • Question
  • Updated 2 years ago
We are reducing are SSID's by authenticating to a Radius server. Which is great but one challenge we face is how to choose a VLAN if you have access to multiple VLANs.

It's fine with a single VLAN for a user, that attribute is returned - access granted. How can we force people to select which VLAN to connect to if they have access to more than one? (A custom CWP?)
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Matthew, may I ask the question. Why would a user need to change between VLANs once they have authenticated? Surely this seems counter intuitive. Users should be placed on a VLAN based on there access requirements etc. for me this raises a number of security concerns.  
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes
We do have several users that need to be able to connect to all the individual VLANs (but only one at a time) as we segregate access to systems based on the VLAN. For example, I monitor different systems from a single application dependant on the VLAN I am on so would need to be able to switch easily.

The majority of our users will only ever have one VLAN assigned to their profile at once.
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Would you consider using firewall rules to limit from layers 3-7 instead of the vlans performing the task at layer 2?

Best,
BJ
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Brian - can you explain this further?
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes
Hi BJ - don't think that will work for us as we use VLAN tagging for DNS.
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes
For those interested we have a solution - add a suffix to the userid for the project/VLAN i.e. john.doe@vlanA john.doe@vlanB and let the radius server work it out.
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes
Sort of - as long as they don't 'remember' the network then re-authenticating is easy. Users don't need to know the VLAN details, we work on project titles so all they have to know is what project they want to connect to i.e. john.doe@Alpha then connect to john.doe@beta, the radius server will translate the project to the attribute number for the VLAN.
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Interesting. How many SSID's do you have within your deployment?
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes
Currently 10 and that is due to expand. The majority (90% ish) of users will only ever need one VLAN assigned to their profile. 
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Matthew - last question, do you or your users notice any performance issues with your WiFi?
(Edited)
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes
Yep! Massive channel utilisation.. so we need to reduce.. via this method we can get to one SSID including guest access.
Photo of rbentley

rbentley

  • 12 Posts
  • 0 Reply Likes
Is it possible for you to use PPSK?  You could create several different passwords for each user based on the the different VLANs they needed access to.  One downside is you wouldn't have any control of their credentials with your directory, so if there is a lot of changes it would be a ton of work to keep everything up to date.