Do you think I can accomplish this using a guest web portal? Any help on guiding me the right direction in how to set this up and to some documentation would be helpful too.
Best answer by Tomasz
So the most basic approach is to have different topologies (with their VLAN IDs), either each as a separate SSID, or just one-two SSIDs with RADIUS doing the work with RFC 3580 - RADIUS attributes along with access-accept message will define to which VLAN a user should be put, thus he will get appropriate subnet from DHCP server. Then you should be good to go with subnet-based filtering. This seems most convienient for me at the moment.
A1 - each VLAN (for each subnet and user pool separation) shall be a separate topology, either B@AP or B@EWC, and RADIUS can assign appropriate one upon authentication. B@AP needs to put all the possible VLANs right at the edge of your LAN, B@EWC gives you an option to terminate those VLANs at network segment where the controller stays. OTOH, wireless traffic would be a load for the controller, take care in case of huge traffic flows.
A2 - for RADIUS-based VLAN assignment you need three attributes sent out for a matching user in your RADIUS/NPS/NAC profile, that should be:
- Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID =
On the controller side, you should make sure that in VNS->Global->Authentication->RFC 3580 (ACCESS-ACCEPT) Options you have third option selected (most likely), aand the topologies are there. You can refer to ExtremeWireless user guide for more details as well: https://www.extremenetworks.com/support/documentation/extremewireless-software-10-41/
A3 - it depends on your environment; if you have 11b support with 1Mbps min. basic rate on your APs enabled, and there is 2,4 GHz with far-from-optimal channel re-use and on full power for transmission, you might have more than just 1 AP seen on the same channel in the same spot in the office, it can be like 4 or 5 for example. Then, each SSID kills your throughput more. But it hasn't be that way of course. Personally I prefer 1 office WLAN (with per-use case VLANs and Roles) and 1 guest WLAN (just in case, different VLAN and Role obviously).
Edit: What I forgot to mention, you can have your single SSID with not just different VLANs but with different topology. A user that has a role 'IT Staff', or is put via RFC 3580 to VLAN ID 100, can be bound to B@AP topology that has VID 100, while another user on the same SSID with a role assignment like 'Payroll' or VLAN assignment like VLAN 200, can be bound to B@EWC topology that has VID 200. So you can select inside your SSID what should be filtered out centrally and what can go straight to the network at the edge.
Same applies even deeper, a user of some topology can have a role assigned, where some type of traffic is contained in another VLAN (topology).