https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53916#M6049 It's a coworking place and management wants it to be clean and easy.<BR /> Therefore, they wish to have only one ssid and single ip pool.<BR /> Wanted to do it using Extreme solutions like IdentiFI, NAC, Purview<BR /> Fri, 06 May 2016 08:33:00 GMT jaden 2016-05-06T08:33:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53914#M6047 We have a requirement here.<BR /> Situation as below.<BR /> <BR /> One SSID, One Vlan, One IP Pool.<BR /> Differentiate by Roles such as Role A can access between Role A, internet and internal.<BR /> Role B can only access to Internet and between Role B, means no internal.<BR /> <BR /> Is there a way to do this?<BR /> <BR /> Thanks. Fri, 06 May 2016 08:23:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53914#M6047 jaden 2016-05-06T08:23:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53915#M6048 Hmm. Is there a reason you have to have one vlan and ip pool? If you were able to break from that you could use NPS like this. https://community.extremenetworks.com/extreme/topics/one-ssid-redirect-to-two-different-vlans Outside of that... I'd say you'd have to implement 802.1x and maybe use NAP. https://technet.microsoft.com/en-us/network/bb545879.aspx Anything more specific let me know. Good luck!! Fri, 06 May 2016 08:33:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53915#M6048 Christopher_Dav 2016-05-06T08:33:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53916#M6049 It's a coworking place and management wants it to be clean and easy.<BR /> Therefore, they wish to have only one ssid and single ip pool.<BR /> Wanted to do it using Extreme solutions like IdentiFI, NAC, Purview<BR /> Fri, 06 May 2016 08:33:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53916#M6049 jaden 2016-05-06T08:33:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53917#M6050 Understandable, although it'd be an easier solution to manage without this. NAC is a solution. Well, IAC anyway. http://learn.extremenetworks.com/rs/641-VMV-602/images/Identity-and-Access-Control-DS.pdf This should be what you're looking for. Fri, 06 May 2016 08:33:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53917#M6050 Christopher_Dav 2016-05-06T08:33:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53918#M6051 Sorry of misunderstood, so NAC is called IAC now.<BR /> How do I use this to achieve the objective. Fri, 06 May 2016 08:33:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53918#M6051 jaden 2016-05-06T08:33:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53919#M6052 The Keyword to this is "OnePolicy" . Based on the role the Client get's his own policy and can access exactly the targets you want. The only things you need are a wireless controller, several APs and a radius server. When you use Extreme Control (formerly NetSight and NAC), you can do this very easily.<BR /> <BR /> /André Fri, 06 May 2016 10:51:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53919#M6052 André_Herkenrat 2016-05-06T10:51:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53920#M6053 Is there any configuration example I could study on?<BR /> Helps me to understand faster as I haven't configured any policy yet.<BR /> <BR /> Also, it could configured in OneView Policy sector right? Fri, 06 May 2016 10:51:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53920#M6053 jaden 2016-05-06T10:51:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53921#M6054 Hello, Jaden!<BR /> <BR /> I think simples way is to use authenticate roles based on MAC addresses of clients.<BR /> Like Role A - accept all for MAC addresses A, B, C.<BR /> Role B - (for example) deny dns, deny Internet gateway for MAC addresses D, E, F.<BR /> <BR /> Thank you! Fri, 06 May 2016 10:57:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53921#M6054 Alexandr_P 2016-05-06T10:57:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53922#M6055 It's impossible to authenticate with MAC addresses as there will be Role B,C,D and so on.<BR /> Tenant may come and go, this will be bulky of work. Fri, 06 May 2016 10:57:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53922#M6055 jaden 2016-05-06T10:57:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53923#M6056 So, in this case you have to use RADIUS/TACACS+, NAC and so on.<BR /> (to have some condition on which map some role)<BR /> <BR /> Thank you! Fri, 06 May 2016 10:57:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53923#M6056 Alexandr_P 2016-05-06T10:57:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53924#M6057 It is easy to accomplish that with EXtreme Control solution = NAC. In the management you will define criteria like MAC address or Username or hostname and based on that you assign the right profile. In the profile you define ACLs what such device/user can do... Single SSID design is good. Good luck. Fri, 06 May 2016 11:26:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53924#M6057 Zdeněk_Pala 2016-05-06T11:26:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53925#M6058 Any documentation can I refer to?<BR /> I would like to use with the Radius server too. Fri, 06 May 2016 11:26:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53925#M6058 jaden 2016-05-06T11:26:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53926#M6059 If you have Radius-LDAP you can define de field Filter-ID attribute at the radius response, and create a rol with the same name at the Role tab.<BR /> In the VirtualNetwork tab you configure the default role, but if the radius response can find a role with the same name that the Filter-ID attribute then role asigned change.<BR /> I am not sure at all, but you can create a testing wlan Fri, 06 May 2016 11:26:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/one-ssid-one-vlan-one-ip-pool-restrict-access-by-role/m-p/53926#M6059 FES 2016-05-06T11:26:00Z