We are looking at implementing the following environment:
MX68 Appliance
3 MS120-48LP switches
12 MR36 APs
We have 40 private VLANs set for wired clients. (Its a shared office environment with 40 individual tenants all with their own private VLAN.) Is there a way to allow these clients the ability to access their own private VLAN(s) wirelessly while roaming between multiple APs if they are moving around the building?
In short:
Client one's network has a private VLAN (we'll say VLAN1) on the wired connection in the office, but they want to be able to access that private VLAN from any AP while connected wirelessly.
In our scenario there are 39 more clients with a private VLAN, all like Client one, that want to access their own private VLAN via wireless.
Can this be configured on the equipment listed above? Maybe through Group Policy? I see how to set a VLAN per SSID, or tag multiple VLANs to a SSID, but not sure how to allow the client to access them individually.
Thanks in advance!
Solved! Go to solution.
Perhaps use IPSK. You could define per client Group Policies which map the SSID to their private VLAN. Then on the common SSID use IPSK so each client has a unique non-shared/known PSK preventing them from accessing another users VLAN.
Assuming the 40 VLANs exist on the MX you'd also want firewall rules there to prevent VLAN to VLAN communications.
Under Wireless > Configure > Firewall & Traffic shaping change on SSID the rule to allow to clients be able to access LAN.
Thanks. I can get them to access the LAN, but I need the ability to have them access their private VLAN (each user has a different VLAN on their wired connections to their offices) via wireless.
Perhaps use IPSK. You could define per client Group Policies which map the SSID to their private VLAN. Then on the common SSID use IPSK so each client has a unique non-shared/known PSK preventing them from accessing another users VLAN.
Assuming the 40 VLANs exist on the MX you'd also want firewall rules there to prevent VLAN to VLAN communications.
Thanks! I think this may be the answer I am looking for. Let me research a bit on it to make sure, but this looks like a great start!
I got it, in my opinion it's the best option:
But the options that @Ryan_Miles suggested you is good to.
Splash Access (a paid option) also has a brilliant "multi-dwelling" system. It has a portal where clients can on-board their own WiFi devices, and it drops their devices into their own private VLAN automatically.
True. Splash Access is a great solution but a little overkill for this particular project.