Guest Network Setup and Configuration Suggestions

  • 0
  • 1
  • Question
  • Updated 4 days ago
I'm looking at options to setup a guest wireless network SSID that assigns a different IP address based on your authentication (preferred local accounts on the EWC but I have a Windows 2016 NPS radius server setup as well, if needed).  Network traffic would be handled differently, depending on a guest IP address.  We are using an EWC V2110 (v10.31.09.0002) and I would prefer the IP address get assigned by the controller from local IP pools, if possible, but a DHCP server is alerady available as well.  All guest traffic currently tunnels back to the controller and I would like it to remain this way, if possible.  We currently have a guest network setup but everyone auths using a WPA pre-shared key and then they are all assigned under the same IP pool.

Do you think I can accomplish this using a guest web portal?  Any help on guiding me the right direction in how to set this up and to some documentation would be helpful too.

Thank you.
Photo of sweetsudo

sweetsudo

  • 70 Points

Posted 4 days ago

  • 0
  • 1
Photo of Tomasz

Tomasz

  • 2,316 Points 2k badge 2x thumb
Hi Sweetsudo,

I don't see VLAN/role differentiation with Guest Portal authentication, but you can do it many ways though:
1. RADIUS sends RFC3580-compliant VLAN ID which is for both VLAN ID and the topology (so this way you can also decide if it'll be B@AP or B@EWC), then if it's a B@EWC, the relevant topology (each for every VLAN) should have L3 enabled and DHCP scope defined.
2. RADIUS sends user role name as a Filter-ID attribute, and the role has a default action of 'Contain to VLAN', so that's how it'll be directed to appropriate topology (thus VLAN, thus IP scope).
3. RADIUS sends both role name and RFC3580, so the role name will be just for default allow/deny action and some rules for granular control over the user traffic, and VLAN ID will be used to assign the topology (thus VLAN, thus IP scope).
Personally, I like the last approach the most, because with RFC 3580 you get consistent approach for VLAN provisioning across entire set of devices, both wired and wireless, 3rd party as well. Then role name might be something extra for Extreme devices for traffic control.

I would think twice before using controller based scopes for each VLAN, especially if you have a DHCP server over there. Dedicated server should be less effort to add/remove/modify pools, and remember of limited capability of EWC DHCP server compared to dedicated DHCP servers like in Windows Server or OpenDHCP or else (options, reservations, exclusions, visibility etc.). Then you could simply have this external DHCP server and from each VLAN it can be addressed correctly with BOOTP Relay (EXOS) or differently called feature that passes the DHCP broadcast request from one VLAN as a unicast request to the server on another VLAN.

Could you please explain your approach with traffic control based on a guest IP address? I mean, if you have roles capability (that would be used here for VLAN assignment perhaps), and each role would be devoted to just single IP subnet, do you have a use case for that?

Hope that helps,
Tomasz