09-12-2019 01:20 PM
We are running 10.0r7a on 98% of our AP250 and AP230. Some Background info, we have most of our building segmented on different subnets but using the same SSID for all buildings and are using an external radius server for authentication. All APs in a building are issuing the same subnet scope and VLAN. We have already tried GRE Tunneling (this made the issue worse). We have done a VLAN Probe test and the AP successfully passes the test for its Building VLAN.
The issue is when a client is connected in building A on VLAN-A and IP address int subnet A and the client moves to building B the clients stays connected but has no access to anything due to the client keeping their IP address form building A. This is happening on all devices (apple,android,windows,chrome) but it does not happen all the time. A client can move from building A to B (no issue) then to building C and have the issue. Suggestions would be a great help.
Thank you.
01-03-2020 12:59 PM
We went to NG a year ago and it's been nothing but problems. It got so bad I went back to 8.2r6. Doing this keeps most of the clients happy such as Chromebooks, newer phones, and Windows 10 clients, but I've got sporadic issues with older Windows 7 clients unable to connect after they "sit" for a while. We have AP-250's exclusively, and I've spent months "dialing things in", dialing I never had to do with classic. NG is problem, and now that Extreme owns Aerohive, good luck to us all.
09-16-2019 04:35 PM
For casting devices they are in a separate VLAN (and in our case hard wired) so it is handled in the central firewall. For the most part we are fortunate that we don't deal with headless devices much. When I do have a device that cannot do WPA-Enterprise I connect them to our guest wireless segment that uses WPA2-Personal. The normal guest uses PPSK but I issue a PSK under a separate user profile and then drop them in the VLAN of choice. If I need the segregating I can do that or just put them in the guest VLAN. I have three SSIDs broadcasting, one for each type of authentication. We have an open segment that only allows the user to a webpage that has instructions on how to connect to the wireless. I use to also have the certificate to download when we were using a private cert on our NPS server, now we use a public signed cert. I then have a guest SSID that is WPA2-Personal. Although it says guest I can stick the user in any VLAN I want using the user profile. And then I have the WPA-Enterprise. Initially it uses the radius attribute to drop the user in the appropriate user profile the some of those use client classification to further sort them into different VLANs. For example we have a list of MAC addresses for a set of laptops, unless you are on one of these laptops you cannot use you internal domain credentials. If you use those credentials on a device not on the MAC list you will either not get connected (no IP) or get stuck in a guest network.
If you need to break up your users like you students is there a grouping in the domain that could be used to break them into smaller groups and the drop them into separate VLANs base on the group membership? Same SSID and stuff just splits them up. Maybe by dorm? Just tossing ideas out.
09-13-2019 01:31 AM
Yes, we have academic areas where they utilize chromecast, and airtames. Also how are you dealing with headless devices such as xboxes since they cannot do 802.1x auth while only having one ssid?
09-13-2019 01:04 AM
All APs broadcast the same SSID and a user stays on the same VLAN regardless of location. The student vlan along with the others are separated in our internal firewall that controls all traffic between the vlans and the Internet. I only use the wireless firewall policy to block traffic between wireless users preventing an personal infected machine from spreading. Since we use WPA2-Enterprise the user ID is in the NPS server logs.
When you speak of casting are you talking of things like screen sharing?