Need Multiple VLAN's on a Single SSID

  • 1
  • Question
  • Updated 3 years ago

We are a large school district and in the process of revamping how our Aerohive Network is setup in each school.  For each school we are planning on creating 5 SSID's:

  • District Transient Staff
  • School Owned Devices
  • BYOD Teacher
  • BYOD Student
  • Guest

These different SSID's will each be associated with a different VLAN each in a /23 subnet.  However, for our larger schools, it's possible that the BYOD Student SSID will require more than the 512 IP's available in a /23 subnet.  Wondering if there is a way to associate multiple VLAN's (and thus IP subnet's) with a single SSID?  That way we could scale the BYOD Student SSID in order to provide more IP's as necessary to our larger schools:

  • 1 VLAN's = 512 IP's
  • 2 VLAN's = 1024 IP's
  • 3 VLAN's = 1536 IP's
It appears that you can associate multiple VLAN's with a single SSID, however how does the connecting clients know which VLAN it will be associated with in order to get a DHCP IP?  How can we accomplish this?  Any help would be great, thanks!
Photo of Peter Walach

Peter Walach

  • 8 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
Peter,

Can I make a suggestion to decrease the # of SSIDs, keeping the # of SSIDs to a minimum will be key with keeping 802.11 overhead to a minimum (For further reading - http://www.revolutionwifi.net/revolutionwifi/2013/10/ssid-overhead-how-many-wi-fi-ssids-are.html

Also with Aerohive you have the ability to have a single SSID with multiple keys using Private Pre-Shared Keys (aka PPSK).This will help with consolidation of SSIDs when using WPA2/PSK and a great alternative to WPA2/802.1X.

Lets say you are the IT Admin at ACME School, you could create a SSID called ACME-WiFi and ACME-Guest-WiFi.

For ACME-WiFi you could create 4 different PPSKs for each of the following use cases
  • District Transient Staff - PPSK - "l3tsgo@cm3p"
  • School Owned Devices - PPSK -  "d1str1ct0wn3d" 
  • BYOD Teacher - PPSK - "Acm3T3ach3r" (widely known only amongst teachers)
  • BYOD Student - PPSK - "LetsGoAcme" (widely known for students)
And then you could put another PPSK key on ACME-Guest-WiFi or use Aerohive's IDManager to help facilate the distribution of Key for Guest Users (More Info on IDManager Here - http://www.aerohive.com/products/cloud-services-platform/id-manager

For the ACME-WiFi each key would be assigned to a different User Profile which in turn was assigned to a different VLAN.
  • District Transient Staff --> Staff-User --> VLAN 110
  • School Owned Devices --> Student-User --> VLAN 120
  • BYOD Teacher --> BYOD-Teacher --> VLAN 130
  • BYOD Student -->- BYOD-Student --> VLAN 140

Now to answer your question about multiple VLANs to a single SSID (which is now a single User Profile)

For your BYOD Student User Profile you can assign multiple VLANs based on Location by using Device Classification. Below is an example where i used Device Classification Tags to assign multiple VLANs to a single VLAN Object. You can also use Topology Maps and Device Names to make this declaration. 



Hope this helps.
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
And this was if you are not using 802.1X authentication. 
Photo of Peter Walach

Peter Walach

  • 8 Posts
  • 0 Reply Likes
Thanks for the great info.  We don't have any Radius capabilities at the moment.  Just tried creating a new SSID, but don't see the ability to have more than one PPSK within it, am I missing something there?
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Can you check if you're hive is in Enterprise Mode (and not in Express mode)? If you are using Express mode you can see this under Home --> Device Management settings)

Can you send us a printscreen of your configuration page?

Steps to configure PPSK for Bulk creation
====================
1) on SSID level: choose for Private psk
2) Make 4 user groups (District Transient Staff,School Owned Devices,BYOD Teacher,BYOD Student) and choose for "Manually created private PSK users"
--> Be sure you don't use a too strict password policy
--> You can define for how long the PPSK passwords will be valid
--> Define a unique User profile attribute number for every User Group
3) Make 4 User profiles (here you can define the vlans and you need to use the same attribute numbers as you have used for the user groups --> The attribute number will match the user group with the user profile
4) Go to Advanced configuration (left side of the screen) --> Authentication --> Local Users
5) Here you can create users or import users with a csv file (see my post below)
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Helo Peter
I think you can solve this by devide your students in different security groups and create multiple user profiles (one per security group) and so connecting the different VLAN's. 
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
offcours if you have the abbility to use active directory and 802.1x
Photo of Nicolas Maton

Nicolas Maton

  • 38 Posts
  • 9 Reply Likes
802.1X dynamic vlan can handle this. Search the forum you'll find it :)

https://community.aerohive.com/aerohive/topics/dynamic-vlan-based-on-mac-address
(Edited)
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
If you have active directory or alternative go for 802.1X. If you don't have this you can go for PPSK. If you want to do full monitoring (on user level) I would suggest to make a PPSK for every user with a csv file. If I was you I would make 2 SSID's. One for the guests and one for all the other users.

802.x with active directory configuration
===============================
You can map Active directory security groups to an Aerohive User Profile. So for your example I would make 4 Aerohive User profiles (District Transient Staff, School Owned Devices,BYOD Teacher,BYOD Student) and assign the right Vlan to each User Profile. The mapping of the security groups you can do here: Configuration-->Go to the menu on the left side (if it's closed click on Show nav) --> Go to Advanced configuration--> Authentication --> Aerohive AAA Server settings --> Database SEttings--> Activate checkbox "LDAP server attribute mapping"

BYOD devices will not be in the domain so it's possible that you get some Certificate issues on windows machines. I would suggest to buy an external certificate to solve this


PPSK configuration
================================
Create 4 user groups and 4 user profiles (District Transient Staff, School Owned Devices,BYOD Teacher,BYOD Student). You can map every user group with the right User profile (and vlan).

Some tips:
* Define the difficulty of the password in the User group (Personally I would suggest 8 characters long with only numbers and letters) --> Special characters are very difficult for tablet/smartphone users
* create your own password in the csv file, the created passwords must meet the requirements you configured on user group level (otherwise the system will create a 64 long password)

I have created my own web application where our clients can create there own csv file with only uploading an excel or csv file with the name and the e-mailaddress of the users. So they only need to make a simple csv file and select in a dropdown box which kind of users (= which user group) they are going to upload.


I hope this was helpfull. If you need more information. Just ask :-D.
Photo of Peter Walach

Peter Walach

  • 8 Posts
  • 0 Reply Likes

Thanks for all of the suggestions everyone.  I haven't had a chance to look at this for a few days so just catching up now.  For our situation, I think it would be too much work using the PPSK Configuration as we have over 25,000 Student users in our region, so I would rather leverage the existing Active Directory.  Unfortunately, we are not at a place yet where we have one large Active Diretory throughout our over 100 schools.  They are all acting as independent entities at the moment each school with their own Window Active Directory Domain.

So, really need to deicide between one of two situations:

  1. Use NPS on the schools Windows DC to act as a Radius server.  Problem with this setup is that we would also need to install Windows Certificate Services on each server to act as it's own CA, this creates even more duplicate work at each site.  It may also present a problem for BYOD Devices (Ipads, Smartphones etc.) because the certificate is not trusted.
  2. Use the Aerohive AP's located at the school to act as the Radius server and then connect to the local schools Active Directory on the Windows Server for authentication.  This might be the best option as we can then leverage the Aerohive Trusted Certificate, thus avoiding the certificate issue and not having.

Our situation is made even more complicated by the fact that in some schools we have the ability to use VLAN's and in others we do not have the infrastructure to support it.  Thus we would need two different models, one for schools that support VLAN's and one for schools that do not.

So, based on the suggestions above, I like the idea of having just 2 SSID's, one for the District Transient Staff that would use one pre-shared Key and a second SSID that would encompase the following 4 different User Profiles:

School Owned DevicesBYOD TeacherBYOD StudentGuest


Guest would be the Default User Profile.  So, all that being said, how could we accomplish this for the two different situations we have, schools with VLANs and schools without VLANs?

Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes

Helo Peter

First, the certificate issue on BYOD will only be solved if you buy a certificate at a public CA.

For the situations with the VLANs, I think the best way to handle this is to use the topology maps feature where you ad the building plans and place the correct access points on this plans. Doing this enables Aerohive to decide wich VLAN to use.

https://community.aerohive.com/aerohive/topics/can-i-use-the-same-ssid-at-different-locations-with-d...


Photo of Peter Walach

Peter Walach

  • 8 Posts
  • 0 Reply Likes

Hi Hans:

Our Hive has a certificate from a public CA, so I think that would work fine.  In terms of the VLAN situation, we want users to be put into a VLAN based on group membership in Active Directory, so when a Student logs on with a BYOD device (member of StudentWifi AD Group), then they would go into VLAN 400, when a Teacher logs on with a BYOD device (member of TeacherWifi AD Group), then they would go into VLAN 300, School devices (school owned equipment, laptop or Tablets) would use VLAN 200 and defaut profile would be for Guest using VLAN 500. Our school server would have a DHCP range for each different VLAN.

Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes

Helo Peter

It will work with the certificate of the public CA. I still believe the topolgy maps will provide in a solution (in combination with the LDAP mapping of attributes).