Header Only - DO NOT REMOVE - Extreme Networks

Creation of a single SSID with Extreme Control

Userlevel 5

I would like to create a single SSID for all my wireless requirements, and protect that with a pre-shared key so that other wireless users in the building can't, say, make use of the Guest internet.

At the moment I have the following SSIDs:

1) "Guest" - this is providing a captive portal via Extreme Control via MAC authentication
2) "Internal" - this is doing 802.1x authentication via Extreme Control
3) "MobileIron" - this is doing MAC authentication via Extreme Control

Any corporate device I think I can push the SSID and pre-shared key out via Windows policy. Guest and MobileIron users can simply enter the pre-shared key when they connect.

So handling this through Extreme Control I believe I can do, but not sure what to do about the authentication and redirection methods for combining the SSID's on the wireless controller.

For example: Guest and MobileIron use MAC Auth and Internal uses 802.1x in the 'Auth & Act' section of the WLAN config, see image below first for internal 802.1x

and the following for Guest and Mobileiron:

So is the answer that I simply create the a single SSID, set the mode to 802.1x but also tick the box for 'Enable MAC-Based authentication' - but I don't believe that's going to work for all situations?

Would web redirection at the controller still work for Guest users to Extreme Control captive portal - or does SSID always need to be separate?

The reason I want to combine Guest with a single SSID is that on the wired network if anyone connects to the network that fails authentication it is automatically dropped to the Guest network where they are redirected to a captive portal page and then only get internet access, and want to do the same for wireless as dynamically as it does for wired.

With wired I can set the authentication methods to first use 802.1x then MAC, but not sure I can do that same for wireless - which I think is the sum of the problem?

If you have any experience let me know, many thanks in advance.

5 replies

Userlevel 3

When using Extreme Control (NAC) we will usually create 2 SSIDs, one for 802.1X and the other for Guest/BYOD/non-802.1X capable devices (MAC Auth). The 802.1X SSID is hidden, and the Other SSID is open.

The .1X clients just come onto the network without any other user intervention - using Machine Authentication.

The Guest/BYOD devices get a splash screen for them to log in. If the device already has an active registration, it comes on without other user interaction.

For your devices that are district/company owned (would go on your 'MobileIron' SSID - I assume) and are not capable of 802.1X, we create end-system groups in EC and list them by MAC.

So long at you set up your Roles on your Extreme Wireless, and have the EC Profile that has the same name applied to the device, everything should work without a hitch.

i.e. - owned device that get MAC Auth - Role on wireless controller is named 'MobileIron Device', So long as the profile that EC assigns that device is 'MobileIron Device' the device should be assigned the correct VLAN etc. (of course the names can be anything you want them to be...)


Userlevel 5
Hi Bill,

Thanks for taking the time to response, and the detailed answer.

That's perfect - that's what I will therefor do 🙂


Userlevel 3
You're very welcome!! Let us know if you need any help getting this in place!

Userlevel 5
Bill Handler wrote:

You're very welcome!! Let us know if you need any help getting this in place!


Thanks Bill.
Userlevel 6
Hey Martin,

The problem that we see is as soon as you enable 802.1x on the SSID when they attempt to associate to the SSID mobile devices will prompt the user for username/password rather then pushing them straight to the captive portal. I always recommend a separate SSID for 802.1x just to improve user experience if captive portal is going to be used.