We are a large school district and in the process of revamping how our Aerohive Network is setup in each school. For each school we are planning on creating 5 SSID's:
- District Transient Staff
- School Owned Devices
- BYOD Teacher
- BYOD Student
These different SSID's will each be associated with a different VLAN each in a /23 subnet. However, for our larger schools, it's possible that the BYOD Student SSID will require more than the 512 IP's available in a /23 subnet. Wondering if there is a way to associate multiple VLAN's (and thus IP subnet's) with a single SSID? That way we could scale the BYOD Student SSID in order to provide more IP's as necessary to our larger schools:
- 1 VLAN's = 512 IP's
- 2 VLAN's = 1024 IP's
- 3 VLAN's = 1536 IP's
Can I make a suggestion to decrease the # of SSIDs, keeping the # of SSIDs to a minimum will be key with keeping 802.11 overhead to a minimum (For further reading - http://www.revolutionwifi.net/revolutionwifi/2013/10/ssid-overhead-how-many-wi-fi-ssids-are.html)
Also with Aerohive you have the ability to have a single SSID with multiple keys using Private Pre-Shared Keys (aka PPSK).This will help with consolidation of SSIDs when using WPA2/PSK and a great alternative to WPA2/802.1X.
Lets say you are the IT Admin at ACME School, you could create a SSID called ACME-WiFi and ACME-Guest-WiFi.
For ACME-WiFi you could create 4 different PPSKs for each of the following use cases
- District Transient Staff - PPSK - "l3tsgo@cm3p"
- School Owned Devices - PPSK - "d1str1ct0wn3d"
- BYOD Teacher - PPSK - "Acm3T3ach3r" (widely known only amongst teachers)
- BYOD Student - PPSK - "LetsGoAcme" (widely known for students)
For the ACME-WiFi each key would be assigned to a different User Profile which in turn was assigned to a different VLAN.
- District Transient Staff --> Staff-User --> VLAN 110
- School Owned Devices --> Student-User --> VLAN 120
- BYOD Teacher --> BYOD-Teacher --> VLAN 130
- BYOD Student -->- BYOD-Student --> VLAN 140
Now to answer your question about multiple VLANs to a single SSID (which is now a single User Profile)
For your BYOD Student User Profile you can assign multiple VLANs based on Location by using Device Classification. Below is an example where i used Device Classification Tags to assign multiple VLANs to a single VLAN Object. You can also use Topology Maps and Device Names to make this declaration.
Hope this helps.
802.x with active directory configuration
You can map Active directory security groups to an Aerohive User Profile. So for your example I would make 4 Aerohive User profiles (District Transient Staff, School Owned Devices,BYOD Teacher,BYOD Student) and assign the right Vlan to each User Profile. The mapping of the security groups you can do here: Configuration-->Go to the menu on the left side (if it's closed click on Show nav) --> Go to Advanced configuration--> Authentication --> Aerohive AAA Server settings --> Database SEttings--> Activate checkbox "LDAP server attribute mapping"
BYOD devices will not be in the domain so it's possible that you get some Certificate issues on windows machines. I would suggest to buy an external certificate to solve this
Create 4 user groups and 4 user profiles (District Transient Staff, School Owned Devices,BYOD Teacher,BYOD Student). You can map every user group with the right User profile (and vlan).
* Define the difficulty of the password in the User group (Personally I would suggest 8 characters long with only numbers and letters) --> Special characters are very difficult for tablet/smartphone users
* create your own password in the csv file, the created passwords must meet the requirements you configured on user group level (otherwise the system will create a 64 long password)
I have created my own web application where our clients can create there own csv file with only uploading an excel or csv file with the name and the e-mailaddress of the users. So they only need to make a simple csv file and select in a dropdown box which kind of users (= which user group) they are going to upload.
I hope this was helpfull. If you need more information. Just ask :-D.
Thanks for all of the suggestions everyone. I haven't had a chance to look at this for a few days so just catching up now. For our situation, I think it would be too much work using the PPSK Configuration as we have over 25,000 Student users in our region, so I would rather leverage the existing Active Directory. Unfortunately, we are not at a place yet where we have one large Active Diretory throughout our over 100 schools. They are all acting as independent entities at the moment each school with their own Window Active Directory Domain.
So, really need to deicide between one of two situations:
- Use NPS on the schools Windows DC to act as a Radius server. Problem with this setup is that we would also need to install Windows Certificate Services on each server to act as it's own CA, this creates even more duplicate work at each site. It may also present a problem for BYOD Devices (Ipads, Smartphones etc.) because the certificate is not trusted.
- Use the Aerohive AP's located at the school to act as the Radius server and then connect to the local schools Active Directory on the Windows Server for authentication. This might be the best option as we can then leverage the Aerohive Trusted Certificate, thus avoiding the certificate issue and not having.
Our situation is made even more complicated by the fact that in some schools we have the ability to use VLAN's and in others we do not have the infrastructure to support it. Thus we would need two different models, one for schools that support VLAN's and one for schools that do not.
So, based on the suggestions above, I like the idea of having just 2 SSID's, one for the District Transient Staff that would use one pre-shared Key and a second SSID that would encompase the following 4 different User Profiles:School Owned DevicesBYOD TeacherBYOD StudentGuest
Guest would be the Default User Profile. So, all that being said, how could we accomplish this for the two different situations we have, schools with VLANs and schools without VLANs?
First, the certificate issue on BYOD will only be solved if you buy a certificate at a public CA.
For the situations with the VLANs, I think the best way to handle this is to use the topology maps feature where you ad the building plans and place the correct access points on this plans. Doing this enables Aerohive to decide wich VLAN to use.
Our Hive has a certificate from a public CA, so I think that would work fine. In terms of the VLAN situation, we want users to be put into a VLAN based on group membership in Active Directory, so when a Student logs on with a BYOD device (member of StudentWifi AD Group), then they would go into VLAN 400, when a Teacher logs on with a BYOD device (member of TeacherWifi AD Group), then they would go into VLAN 300, School devices (school owned equipment, laptop or Tablets) would use VLAN 200 and defaut profile would be for Guest using VLAN 500. Our school server would have a DHCP range for each different VLAN.