This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Dynamic VLAN Assignment with WPA2-PSK WLAN

Dynamic VLAN Assignment with WPA2-PSK WLAN

Go to solution
xiqa
New Contributor II

a week ago - last edited a week ago

We have an XIQ-SE and an XIQ-C instance and would like to mix some forms of dynamic VLAN assignment. Here's what we'd like to achieve: 

1. The AP should be assigned it's management port in a VLAN untagged based on its MAC address. 

2. The clients using EAP-TLS should be placed in a VLAN tagged according to their role in XIQ-SE. 

3. The clients using WPA2-PSK should placed in a VLAN tagged according to the XIQ-C configuration. 

Here's a diagram that should illustrate what I'd like to accomplish: 

xiqa_1-1730110788982.png

Is something like this possible? How would I "dynamically" assign the VLANs for the networks in the third authentication variant? 

We'd like to be able to plug in the AP's like any other client, so that the port is configured using the correct VLANs, without having to manually assign them.

It's an environment with only extreme switches, access points, NAC, WLC, etc., no other vendors. 

Thanks. 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
xiqa
New Contributor II

Friday

OK I made a dumb mistake. On the XIQ-C in the Auth Role I had the Default Action to deny. Now after setting it to allow it works. 

There was also no need to create a rule for the PSK network on XIQ-SE. I've only configured the role with the Access Controle mode set to Contain to VLAN with the VLAN being the untagged VLAN of my AP and on the VLAN Egress tab the VLAN's that should be tagged and untagged. 

So basically just this: 

xiqa_0-1730451176719.png

xiqa_1-1730451185302.png

Then I create the rule to authenticate the AP via MAC and it works. The switches are EXOS and after authenticating via MAC I can see that the switch automatically tags the Client VLAN and untags the AP VLAN. 

View solution in original post

6 REPLIES 6

Go to solution
xiqa
New Contributor II

Friday

OK I made a dumb mistake. On the XIQ-C in the Auth Role I had the Default Action to deny. Now after setting it to allow it works. 

There was also no need to create a rule for the PSK network on XIQ-SE. I've only configured the role with the Access Controle mode set to Contain to VLAN with the VLAN being the untagged VLAN of my AP and on the VLAN Egress tab the VLAN's that should be tagged and untagged. 

So basically just this: 

xiqa_0-1730451176719.png

xiqa_1-1730451185302.png

Then I create the rule to authenticate the AP via MAC and it works. The switches are EXOS and after authenticating via MAC I can see that the switch automatically tags the Client VLAN and untags the AP VLAN. 

Go to solution
Ryan_Yacobucci
Extreme Employee
In response to xiqa

Sunday

A key point that you have set here is that you have "AP Aware" enabled. This is required for Access Points or else there can be performance impacts on the network.

AP Aware makes it so if the switch port sees an AP Aware policy it won't attempt to authenticate any MAC addresses other than the Access Points on the port. 

If AP Aware is not enabled you can start to see Switch ports authenticating Wireless Devices. Control is not designed to handle client authentications if they come from the wired switch port and the wireless AP at the same time. It can have negative impacts. 

Always make sure AP aware is enabled for any policies that are configured for APs. 


Policy uses "AP Aware"
Fabric Engine uses "MHSA" (Multi-host single authentication)

Thanks
-Ryan

Go to solution
Ryan_Yacobucci
Extreme Employee

a week ago

Hello,

This is a common configuration for clients who have an Extreme Control appliance. 

1. The switch will need have to have authentication enabled with a policy that will only authenticate the AP and not the underlying Wireless Clients. 

In Extreme Control you would need to setup a policy with "AP aware" enabled, or set MSHA (Multi-host single authentication) for Fabric Engine. This policy would be applied to the AP when it's plugged in and will contain the VLAN schema for untagged management and tagged VLANs for client connectivity.


2. In Extreme Control/XIQ-C you create rules that have location based components, so the SSID for 802.1x could have rules for Active Directory criteria, or just a location criteria (SSID Name) that provides a specific policy that has the VLAN assignment desired. 

3. In Extreme Control/XIQ-C you create rules that have location based components, so the SSID that has WPA2-PSK can have a location criteria (The SSID name) that sets a different policy that has a different VLAN assignment. 

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000081747

Thanks
-Ryan

Go to solution
xiqa
New Contributor II
In response to Ryan_Yacobucci

a week ago

Hi Ryan

thank you for your reply. So just to get it right, I would create three roles for each VLAN variation and set the AP aware feature to enabled for each of the roles.

Then I'd create the three rules, that check the different conditions (MAC, EAP-TLS AD membership, SSID name), with the associated profiles, roles and policy mappings, and that should be it right? 

Thanks. 

 

0 Kudos
GTM-P2G8KFN