Controllerless Networks

I have a Student Residence building that I need to deploy wireless APs in.   I would like to configure that wireless network to allow each student to have their own VLAN in order to emulate a home type environment (personal devices on WLAN can see other personal devices but not devices from other students).

I have a RADIUS server that will have all the students login information as well as the ability to onboard devices that won't work with WPA2-Enterprise security.

 

Is this possible to configure with either Aurba Central or Aruba Instant?

Do you have ClearPass?





Thank you

Victor Fabian

Pardon typos sent from Mobile

No....but yes

 

This wireless installation is being treated as a separate network from the main institution's wireless network.  Our institution does have clearpass but I would prefer to do this without using clearpass

With ClearPass Policy Engine and AirGroup you can accomplish this without having to create separate VLANs per user (I wouldn’t recommend taking that approach)



Sent from Mail for Windows 10

Hi, 

 

Aruba instant can be managed locally through web gui of VC or using Aruba Central or Airwave. Central just provides management of Instant cluster(s). 

 

Yes you can do it using instant with/without Central using Radius server,

 

How would you go about setting it up?  My boss is leaning towards paying for cloud (Aruba Central management)

Hi,

Assuming you are asking about how to assign students their respective
Vlans. If thats correct, i have done it using CPPM and TekRadius, you can
do the same using any 3rd party radius server.

Please confirm if above is what you are looking for

sorry I thought you meant you had done it without using clearpass.  So just to confirm....There is no way to do this without leveraging clearpass?

Hi,

You can do it without using Clearpass.

How would you do it without Clearpass?

Hi,

When user authenticates, the radius server will return Aruba-User-Role or
Aruba-User-Vlan with the value of role/vlan respectively.

so basically this?

https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/Roles_and_policies/User%20VLAN%20derivation.htm

Hi,

Yes. You need to configure your Radius server to return aruba-user-role
attribute if authentication is successful.

I thought it was possible but my Aruba SE said that I needed to use clearpass. 

I have a few more questions.

- Will the user still be able to roam around the building and authenticate to other APs while still maintaining their personal VLAN? 

- Will I need to assign all the VLANs to the switch ports where the Access Points are plugged in or will the Aruba APs tunnel the appropriate VLANs to the APs?

Thank you so much!

 

Hi,

For your questions

Will the user still be able to roam around the building and authenticate to
other APs while still maintaining their personal VLAN?

Yes, no issues there.

- Will I need to assign all the VLANs to the switch ports where the Access
Points are plugged in or will the Aruba APs tunnel the appropriate VLANs to
the APs?

There is no tunneling of traffic (management/data) in Aruba Instant like in
controller appliances. You need to create the required Vlans across your
switching infrastructure

Thank you so much for answering all my questions! 

Hi,

You are most welcome

This wireless installation is being treated as a separate network from the main institution's wireless network. Our institution does have clearpass but I would prefer to do this without using clearpass

Hi, 

 

You want to do it without clearpass or without any radius server?