Solved

Guest Network Setup and Configuration Suggestions

  • 8 November 2018
  • 4 replies
  • 942 views

I'm looking at options to setup a guest wireless network SSID that assigns a different IP address based on your authentication (preferred local accounts on the EWC but I have a Windows 2016 NPS radius server setup as well, if needed). Network traffic would be handled differently, depending on a guest IP address. We are using an EWC V2110 (v10.31.09.0002) and I would prefer the IP address get assigned by the controller from local IP pools, if possible, but a DHCP server is alerady available as well. All guest traffic currently tunnels back to the controller and I would like it to remain this way, if possible. We currently have a guest network setup but everyone auths using a WPA pre-shared key and then they are all assigned under the same IP pool.

Do you think I can accomplish this using a guest web portal? Any help on guiding me the right direction in how to set this up and to some documentation would be helpful too.

Thank you.
icon

Best answer by Tomasz 15 November 2018, 01:15

Hi,

So the most basic approach is to have different topologies (with their VLAN IDs), either each as a separate SSID, or just one-two SSIDs with RADIUS doing the work with RFC 3580 - RADIUS attributes along with access-accept message will define to which VLAN a user should be put, thus he will get appropriate subnet from DHCP server. Then you should be good to go with subnet-based filtering. This seems most convienient for me at the moment.

A1 - each VLAN (for each subnet and user pool separation) shall be a separate topology, either B@AP or B@EWC, and RADIUS can assign appropriate one upon authentication. B@AP needs to put all the possible VLANs right at the edge of your LAN, B@EWC gives you an option to terminate those VLANs at network segment where the controller stays. OTOH, wireless traffic would be a load for the controller, take care in case of huge traffic flows.

A2 - for RADIUS-based VLAN assignment you need three attributes sent out for a matching user in your RADIUS/NPS/NAC profile, that should be:
    Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID =
further reading (http://www.revolutionwifi.net/revolutionwifi/2011/01/dynamic-vlan-assignment_31.html). If you need more assistance here with NPS or FreeRADIUS, let us know. Or maybe you are going to use some NAC solution? Extreme Access Control? ;)
On the controller side, you should make sure that in VNS->Global->Authentication->RFC 3580 (ACCESS-ACCEPT) Options you have third option selected (most likely), aand the topologies are there. You can refer to ExtremeWireless user guide for more details as well: https://www.extremenetworks.com/support/documentation/extremewireless-software-10-41/

A3 - it depends on your environment; if you have 11b support with 1Mbps min. basic rate on your APs enabled, and there is 2,4 GHz with far-from-optimal channel re-use and on full power for transmission, you might have more than just 1 AP seen on the same channel in the same spot in the office, it can be like 4 or 5 for example. Then, each SSID kills your throughput more. But it hasn't be that way of course. 🙂 Personally I prefer 1 office WLAN (with per-use case VLANs and Roles) and 1 guest WLAN (just in case, different VLAN and Role obviously).

HTH,
Tomasz

Edit: What I forgot to mention, you can have your single SSID with not just different VLANs but with different topology. A user that has a role 'IT Staff', or is put via RFC 3580 to VLAN ID 100, can be bound to B@AP topology that has VID 100, while another user on the same SSID with a role assignment like 'Payroll' or VLAN assignment like VLAN 200, can be bound to B@EWC topology that has VID 200. So you can select inside your SSID what should be filtered out centrally and what can go straight to the network at the edge.
Same applies even deeper, a user of some topology can have a role assigned, where some type of traffic is contained in another VLAN (topology).
View original

4 replies

Userlevel 5
Hi Sweetsudo,

I don't see VLAN/role differentiation with Guest Portal authentication, but you can do it many ways though:
1. RADIUS sends RFC3580-compliant VLAN ID which is for both VLAN ID and the topology (so this way you can also decide if it'll be B@AP or B@EWC), then if it's a B@EWC, the relevant topology (each for every VLAN) should have L3 enabled and DHCP scope defined.
2. RADIUS sends user role name as a Filter-ID attribute, and the role has a default action of 'Contain to VLAN', so that's how it'll be directed to appropriate topology (thus VLAN, thus IP scope).
3. RADIUS sends both role name and RFC3580, so the role name will be just for default allow/deny action and some rules for granular control over the user traffic, and VLAN ID will be used to assign the topology (thus VLAN, thus IP scope).
Personally, I like the last approach the most, because with RFC 3580 you get consistent approach for VLAN provisioning across entire set of devices, both wired and wireless, 3rd party as well. Then role name might be something extra for Extreme devices for traffic control.

I would think twice before using controller based scopes for each VLAN, especially if you have a DHCP server over there. Dedicated server should be less effort to add/remove/modify pools, and remember of limited capability of EWC DHCP server compared to dedicated DHCP servers like in Windows Server or OpenDHCP or else (options, reservations, exclusions, visibility etc.). Then you could simply have this external DHCP server and from each VLAN it can be addressed correctly with BOOTP Relay (EXOS) or differently called feature that passes the DHCP broadcast request from one VLAN as a unicast request to the server on another VLAN.

Could you please explain your approach with traffic control based on a guest IP address? I mean, if you have roles capability (that would be used here for VLAN assignment perhaps), and each role would be devoted to just single IP subnet, do you have a use case for that?

Hope that helps,
Tomasz
Sorry for the delayed response and thanks for your attention on this. The main use case is to filter Internet traffic differently for one group of guest wireless users than the other. Mainly, one group will be more restricted on websites they can access versus the other. Filtering based off IP address would make this easy to do with our Internet filtering solution. The EWC solution, if we can figure it out, would only be assisting in assigning IP addresses and tunneling back to the EWC. After an IP address has been assigned, the network traffic is identified by the Internet filtering solution via that IP and restricts/allows according to it's IP-based rules.

(Q1) Would a B@EWC option allow multiple subnets by sending the VLAN ID via Radius? I can use an external DHCP server via BOOTP, as you mentioned, with no problem. I see B@AP being a more complicated option but I think I understand your suggestion there, even though I haven't implemented this type of traffic separation on EWC before. I'm hoping to use B@EWC for both subnets if possible. If that's not possible, I may go to plan B which I referenced below. (Q2) Do you know of any good examples or documentation in getting the EWC setup with accepting and utilizing multiple vlans sent by a Radius server?

Plan 😎 (Q3) Do you think setting up a 3rd SSID would affect wireless traffic much? I have always been told that best practice is to have the fewest amount of SSIDs as possible. A 3rd SSID would probably be the easiest to setup but I was trying to conserve air time. I found this matrix for a visual: http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html According to this chart, it shouldn't be a huge impact unless we are getting very close to peak usage, which I don't think we are.
Userlevel 5
Hi,

So the most basic approach is to have different topologies (with their VLAN IDs), either each as a separate SSID, or just one-two SSIDs with RADIUS doing the work with RFC 3580 - RADIUS attributes along with access-accept message will define to which VLAN a user should be put, thus he will get appropriate subnet from DHCP server. Then you should be good to go with subnet-based filtering. This seems most convienient for me at the moment.

A1 - each VLAN (for each subnet and user pool separation) shall be a separate topology, either B@AP or B@EWC, and RADIUS can assign appropriate one upon authentication. B@AP needs to put all the possible VLANs right at the edge of your LAN, B@EWC gives you an option to terminate those VLANs at network segment where the controller stays. OTOH, wireless traffic would be a load for the controller, take care in case of huge traffic flows.

A2 - for RADIUS-based VLAN assignment you need three attributes sent out for a matching user in your RADIUS/NPS/NAC profile, that should be:
    Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID =
further reading (http://www.revolutionwifi.net/revolutionwifi/2011/01/dynamic-vlan-assignment_31.html). If you need more assistance here with NPS or FreeRADIUS, let us know. Or maybe you are going to use some NAC solution? Extreme Access Control? ;)
On the controller side, you should make sure that in VNS->Global->Authentication->RFC 3580 (ACCESS-ACCEPT) Options you have third option selected (most likely), aand the topologies are there. You can refer to ExtremeWireless user guide for more details as well: https://www.extremenetworks.com/support/documentation/extremewireless-software-10-41/

A3 - it depends on your environment; if you have 11b support with 1Mbps min. basic rate on your APs enabled, and there is 2,4 GHz with far-from-optimal channel re-use and on full power for transmission, you might have more than just 1 AP seen on the same channel in the same spot in the office, it can be like 4 or 5 for example. Then, each SSID kills your throughput more. But it hasn't be that way of course. 🙂 Personally I prefer 1 office WLAN (with per-use case VLANs and Roles) and 1 guest WLAN (just in case, different VLAN and Role obviously).

HTH,
Tomasz

Edit: What I forgot to mention, you can have your single SSID with not just different VLANs but with different topology. A user that has a role 'IT Staff', or is put via RFC 3580 to VLAN ID 100, can be bound to B@AP topology that has VID 100, while another user on the same SSID with a role assignment like 'Payroll' or VLAN assignment like VLAN 200, can be bound to B@EWC topology that has VID 200. So you can select inside your SSID what should be filtered out centrally and what can go straight to the network at the edge.
Same applies even deeper, a user of some topology can have a role assigned, where some type of traffic is contained in another VLAN (topology).
I'm involving a partner in helping me get this setup. I will try to follow up after we finish. You've provided some great information to help me out here and hopefully when we get this working I can relay that information back here on what we ended up doing.

Thank you.

Reply