Header Only - DO NOT REMOVE - Extreme Networks

Creation of a single SSID with Extreme Control

  • 28 February 2018
  • 9 replies
  • 538 views

Userlevel 5
Hi,

I would like to create a single SSID for all my wireless requirements, and protect that with a pre-shared key so that other wireless users in the building can't, say, make use of the Guest internet.

At the moment I have the following SSIDs:

1) "Guest" - this is providing a captive portal via Extreme Control via MAC authentication
2) "Internal" - this is doing 802.1x authentication via Extreme Control
3) "MobileIron" - this is doing MAC authentication via Extreme Control

Any corporate device I think I can push the SSID and pre-shared key out via Windows policy. Guest and MobileIron users can simply enter the pre-shared key when they connect.

So handling this through Extreme Control I believe I can do, but not sure what to do about the authentication and redirection methods for combining the SSID's on the wireless controller.

For example: Guest and MobileIron use MAC Auth and Internal uses 802.1x in the 'Auth & Act' section of the WLAN config, see image below first for internal 802.1x



and the following for Guest and Mobileiron:



So is the answer that I simply create the a single SSID, set the mode to 802.1x but also tick the box for 'Enable MAC-Based authentication' - but I don't believe that's going to work for all situations?

Would web redirection at the controller still work for Guest users to Extreme Control captive portal - or does SSID always need to be separate?

The reason I want to combine Guest with a single SSID is that on the wired network if anyone connects to the network that fails authentication it is automatically dropped to the Guest network where they are redirected to a captive portal page and then only get internet access, and want to do the same for wireless as dynamically as it does for wired.

With wired I can set the authentication methods to first use 802.1x then MAC, but not sure I can do that same for wireless - which I think is the sum of the problem?

If you have any experience let me know, many thanks in advance.

9 replies

Userlevel 3
Martin,

When using Extreme Control (NAC) we will usually create 2 SSIDs, one for 802.1X and the other for Guest/BYOD/non-802.1X capable devices (MAC Auth). The 802.1X SSID is hidden, and the Other SSID is open.

The .1X clients just come onto the network without any other user intervention - using Machine Authentication.

The Guest/BYOD devices get a splash screen for them to log in. If the device already has an active registration, it comes on without other user interaction.

For your devices that are district/company owned (would go on your 'MobileIron' SSID - I assume) and are not capable of 802.1X, we create end-system groups in EC and list them by MAC.

So long at you set up your Roles on your Extreme Wireless, and have the EC Profile that has the same name applied to the device, everything should work without a hitch.

i.e. - owned device that get MAC Auth - Role on wireless controller is named 'MobileIron Device', So long as the profile that EC assigns that device is 'MobileIron Device' the device should be assigned the correct VLAN etc. (of course the names can be anything you want them to be...)

Thanks,

Bill
Userlevel 5
Hi Bill,

Thanks for taking the time to response, and the detailed answer.

That's perfect - that's what I will therefor do :)

Cheers,

Martin
Userlevel 3
You're very welcome!! Let us know if you need any help getting this in place!

Bill
Userlevel 5
You're very welcome!! Let us know if you need any help getting this in place!

Bill
Thanks Bill.
Userlevel 6
Hey Martin,

The problem that we see is as soon as you enable 802.1x on the SSID when they attempt to associate to the SSID mobile devices will prompt the user for username/password rather then pushing them straight to the captive portal. I always recommend a separate SSID for 802.1x just to improve user experience if captive portal is going to be used.

Thanks
-Ryan
What do you do to prevent devices in an End-System Group from joining guest and jumping directly to their spot in the NAC policy? My concern is a corporate device is connected to the guest wireless and now traffic is not encrypted and the device now has access to more network resources than intended on guest wifi. Can you have two policies in the NAC. One for enterprise (WPA/MAC Auth and 802.1x Auth) and one for Guest? Or am I missing something all together?
Userlevel 3
Martin,

depending on on how you set this h, you can create rules to deny access if those devices connect on the guest SSID. Also you can set to deny devices that are in AD to connect to the guest ssid.
Martin,

depending on on how you set this h, you can create rules to deny access if those devices connect on the guest SSID. Also you can set to deny devices that are in AD to connect to the guest ssid.


Can you give me more details? I can't find where the NAC knows what SSID they connected from.
Userlevel 5
Hi Steve,

NAC can be informed by the controller on the AP name and SSID name (i.e. location) with RADIUS TLVs that are configurable in WLAN -> Auth & Acct tab settings in the controller GUI. Then you can use AP name or SSID name or else as an item in your Location Group in NAC, so it can be used as one of the criteria (same applies to switches - IPs, ports).

Hope that helps,
Tomasz

Reply