M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

HP ProCurve MSM710 and VLAN Tagging/Groups

 
Highlighted
Steve Rooney
Occasional Contributor

HP ProCurve MSM710 and VLAN Tagging/Groups

Hi,

 

We have an MSM710 Wireless controller with 4 x MSM410 which are all connected back to a ProCurve 5412zl-96G chassis switch via a POE switch in the chassis

 

The switch has various Layer 3 VLAN's and I was wondering if its possible to allow users to authenticate with the MSM710 and by this logon associate with their own VLAN so they can see the devices on their broadcast domain.

 

The building with this equipment is a shared office space so each VLAN is a seperate office with its own servers/workstations and mobile users need to be able to see just their own equipment when they connect wirelessly.

 

And suggestions gratefully received.

1 REPLY 1
Highlighted
NeilR
Esteemed Contributor

Re: HP ProCurve MSM710 and VLAN Tagging/Groups


We have an MSM710 Wireless controller with 4 x MSM410 which are all connected back to a ProCurve 5412zl-96G chassis switch via a POE switch in the chassis

 

I'm using the MSM765zl card interal to a 5412 with the MSM422 APs, so this should be applicable.

 

The switch has various Layer 3 VLAN's and I was wondering if its possible to allow users to authenticate with the MSM710 and by this logon associate with their own VLAN so they can see the devices on their broadcast domain.

Here's what I did and it works fine so far. You will need a radius server. I'm using IAS on win server 2003.

 

Use the web GUI for the MS 710 and create a VSC authenticated (no access control) via WPA or WPA 2 using your radius server.

Add the VLANs you are interested in as Network Profiles and  to the Network/Ports tab as VLANs with no IP mapped to the Internet port (the LAN port in my config is on th emanagement VLAN I use to config the APs)

In the Controlled AP group you are using to manage the APs, pick Configuration/Local networks - you should see the VLANs you added under availalble networks - move them over to local networks. This is where the assigned VLAN gets tagged based on radius authentication. (I don't think the switch port the AP is plugged into need to be tagged for these vlans, but mine is)

On you radius server, create the groups and access policy that returns the vlan value. The radius server is specified in the VSC in the 802 section.

When your client logs in the access policy matches them to a group, returns the VLAN assigned to that group, and the AP tags the session to that VLAN. Make sure a DHCP server is on that VLAN. You will need to add the various radius AV pairs for media, tunnel and vlan ID.