Solved: Limit SSID to a group of APs

promig · ‎08-25-2006

We have the following scenario: as a small university we have wireless access points on our academic campus and our residential buildings (i.e. dorms). We have one WiSM blade installed in a 6509. In the current (heavy-weight IPs) situation APs in the residential network boardcast the SSID ?resnet? and those on the campus use ?wireless?. These SSIDs are associated with different VLANS, address spaces and security policies.

As we move to WCS I would like to continue this configuration

My question is, what is the best way to limit the SSIDs visible from a group of APS (we have about 150 APs on each network). It looks to me like the WLAN override would work, but It seems a little clunky and convoluted. It also seems difficult to ensure that all the APs on one part of the campus get the same configuration.

Are there other options I?ve missed? Anyone else have similar situations and want to offer other ideas?

Thanks

Phil

Stephen Rodriguez · ‎08-26-2006

The best way to limit the SSID that a AP is broadcasting is to use AP Groups. So for example for the AP's in the dorm areas, you set them in a Group, then you go into the group, and define what SSID's they can broadcast. You can have them use anywhere from 1 to all of your WLANS.

You could use AAA override on the WLAN, but then you have to go in and set all the WLAN to use Radius servers, and then go into all the profiles/groups and set them to the VLAN they can use. Alot more overhead, as you'll have to do this for every student that comes adn goes.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

ethiel · ‎08-25-2006

WCS 4.0 introduced AP Templates, so they will become your best friend for what you describe. Your best bet is to use WLAN override, but in WCS 4.0, you can define 2 AP templates. resnet and wireless. Then you just apply the template to the appropriate APs.

If the APs break up int groupings of 150, you can set all resnet APs to one controller, and set up the resnet SSID on there, and all others to the other, and only set up wireless on that one. However, it gets ugly if APs wander to other controllers in the event of a failure.

Stephen Rodriguez · ‎08-26-2006

The best way to limit the SSID that a AP is broadcasting is to use AP Groups. So for example for the AP's in the dorm areas, you set them in a Group, then you go into the group, and define what SSID's they can broadcast. You can have them use anywhere from 1 to all of your WLANS.

You could use AAA override on the WLAN, but then you have to go in and set all the WLAN to use Radius servers, and then go into all the profiles/groups and set them to the VLAN they can use. Alot more overhead, as you'll have to do this for every student that comes adn goes.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

ethiel · ‎08-26-2006

Are you sure that AP groups can be used like this? I was under the impression that any SSIDs not mapped in an AP group would still be broadcast and would map to their normal VLAN. I am fairly certain that AP Groups only allow you to change the VLAN mapping of SSIDs, but unfortunately I cannot test until late in the week.

Stephen Rodriguez · ‎08-28-2006

Yes, AP groups can be used like this.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

promig · ‎08-29-2006

Thanks, I think this is what I need, however when I created the VLAN group and added the dorm WLAM to the group the column in the main display that says "WLANs" still says 0. It looks like it is working but I wonder why I don't see 1 WLAN assigned to the group (maybe a simple display bug?).

thanks

Phil

promig · ‎08-30-2006

Thanks again for your reply, how sure are you that the AP Group VLANs feature should work the way you describe? To test the feature I enbled the group feture, created a Group, added one of my two WLANs to the group, and reset the AP. As near as I could tell it was still broadcasting both SSIDs. I may well have been doing something wrong, but I wanted to ask...

On a similar note, I can't find any documentation that describes Groups or how they work. Anyone have any pointers?

ethiel · ‎08-31-2006

I believe it WILL still advertise all SSIDs, but I will not be back to where I can test until early next week. I still believe based on my experience that my first post will be your best bet. The AP templates in 4.0 I think are the best way to acheive this.

For your test, is it possible that another AP within range was advertising the second SSID?