How to connect to multiple VLAN's on single SSID on single ID

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
We currently have an SSID per vlan - for security purposes (10 currently and due to grow). Plus, we also have high utilisation and some performance issues. We have been told to drop SSIDs to as few as possible - I think the lowest we can get to is 2. Internal and guest.

My issue is this, we can have multiple VLANs on a single SSID (PPSK) but how does a single user connect to different VLANs at different times? We have users who can be on 1 or multiple or even all but only connect to one at a time.

We do not want an admin nightmare!
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
I have personally not tried ppsk VLAN assignment with shared keys (802.1x would be better to avoid the possibility of key compromise) but it looks like it should work:
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
10 SSIDs is absolutely overkill. I always aim for no more than 3, and I usually find 2 is ok. The # of SSIDs I support is based solely on the number of authentication methods I need for a given use case. So typically, I have 1 for 802.1X/EAP, 1 for PPSK, and maybe 1 open depending on use case.

Through user profile assignment (and client classification), Aerohive gives you many different ways to assign different user profiles to client devices on the same SSID, and user profiles determine what VLAN to put a device in along with assigned firewall policy, QoS settings, throttling rules, etc. The user profile assignment capabilities differ slightly depending on which Aerohive management product you are using but generally speaking, you can assign based on user identity (as determined via RADIUS or PPSK group membership), client operating system, MAC address, time or location. 

A couple questions for you to think about as you plan a redesign:
-What is your authentication method that you currently use for your internal networks? Are you currently using PPSK, PSK, or 802.1X? What would you prefer to use going forward?
-What defines when a user needs a different VLAN? A different floor or different building? Or some other reason? 
- Could your security mandates be served equally or better by assigning firewall policy to users at the network edge, rather than VLAN assignment?

Also, are you using HiveManager 6 or HiveManager NG? 
Photo of Matthew Singleton

Matthew Singleton

  • 11 Posts
  • 0 Reply Likes
Thanks for the replies.
To answer some questions:
We use PSK and MAC filters.
Most users have access to a VLAN dependent on the work they are doing - which is fine apart from people who may work on several different projects and may need to switch several times a day.
If users were mainly static VLAN or Firewall would be easy.
We use HiveManager 6.

Is there - maybe a way in Captive Web Portal - to give the user the option of which profile to choose? Could then use 802.1X for authentication.