Re: Single SSID but segregate clients to a vlan based on mac address

RYAN PAUL · ‎09-27-2017

I'm hoping someone can help me. I work in a health care environment and we currently have a single SSID for medical devices. The SSID uses WPA2-PSK (can't use 802.1x) and is mapped to one vlan. We are adding a large number of new medical devices (wireless glucose meters) but I can't add the new hosts to the same vlan due to limited IP addresses (can't change addressing...huge problem with vendors who support the medical devices). Is there a way that I can authenticate the new hosts to the same SSID and use mac addresses to put them in a second vlan?

Thanks

Ryan

Flavio Miranda · ‎09-27-2017

Hi,

Eliminating 802.1x possibility, the only solution I see is to create a new wlan profile with new vlan and keep the same SSID. Then, this 'new' SSID can have mac filter instead PSK.

Keep in mind that although you can put the same SSID, in fact, this will be different.

Leo Laohoo · ‎09-27-2017

@RYAN PAUL wrote:

We are adding a large number of new medical devices (wireless glucose meters) but I can't add the new hosts to the same vlan due to limited IP addresses (can't change addressing...huge problem with vendors who support the medical devices). Is there a way that I can authenticate the new hosts to the same SSID and use mac addresses to put them in a second vlan?

Depends on the firmware of the controller. Recent firmwares have an option to use Interface Groups. Like configuring a multiple secondary subnet on an interface, Interface Groups allows users to put multiple Dynamic Interface into an Interface Group and then assign the Interface Group to the SSID and/or AP Group.

RYAN PAUL · ‎09-28-2017

That sounds promising. We're running 8.0.140.0. I'm obviously going to need to upgrade the controllers. Do you know what version supports the Interface Groups?

Leo Laohoo · ‎09-28-2017

You're in luck. Interface Groups was introduced in 7.4.X.

Flavio Miranda · ‎09-28-2017

But you said you need a different authentication method. Interface segregration will solf DHCP problem but I Can´t see how this is going to solve authentication problem.

Daniel Ordóñez Flores · ‎09-28-2017

Hi.

Like Leo said, you can use interface group and add a second subnet to the same SSID but you need to be clear that the ip assignment is through round robin fashion fashion, so it is possible that the actual equipment that is connected now, can get ip addressing for the new segment. The other way is made your actual network bigger, I menat if your using /24 you can change for /22, only check if this is posibble with your providers.

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

RichardAtkin · ‎09-29-2017

If you use interface groups as suggested by others, you're just lumping all of your Clients in to the same subnet as everything else. Fine, but not great.

In WLC 8.5 the iPSK feature was introduced which allows you to combine MAC Auth with dynamic VLAN allocation... all you need is a RADIUS server loaded with the MAC addresses and the ability to return attributes via RADIUS. You then have a single SSID but configure different PSKs on different devices, and each PSK then drops the device in to a different VLAN.

Config details here;

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

Daniel Ordóñez Flores · ‎09-29-2017

Hi..
Not necessary, with interface group you can use more than one subnet (VLAN) so same SSID.

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

RichardAtkin · ‎09-29-2017

Agreed, but it would be better if you could control what devices go in to what VLAN (via iPSK), instead of just having one big (interface group) pool. The iPSK approach gives better visibility of what's connected where, allows for easier troubleshooting, more admin control, ability to implement better ACL/FW rules based on device type (ie, device-type-specific VLAN), etc etc... Obviously it requires a MAC database and a RADIUS server, but surely a small price to pay for the improved functionality.
Nothing wrong with interface groups at all, but for this use case in particular, iPSK FTW IMHO.

Daniel Ordóñez Flores · ‎09-29-2017

Agreed, Richard :)

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**