M and MSM Series

MSM 760, VLAN and Radius

New Member

MSM 760, VLAN and Radius


We are working on a setup which in all likelyhood is very basic.


Controller: MSM 760

Radio: MSM 430

Switch: 5406 / 2910

Radius: Windows 2008 R2 (NPS)


What we need to configure is the following

2 distinct SSIDs (SSID101 and SSID102) each on different VLANs (101 and 102). Both VLANs are private VLANs. 

1 user group (Group101) needs to have access to just VLAN101

1 user group (Group102) needs to have access to both VLANs

Firewall duties is handled elseware and shouldn't take place in the MSM products.


What we have so far

1. MSM 760 LAN port untagged on the regular server VLAN (VLAN50)

2. MSM 430 APs untagged on various wired VLANs (1020, 1021...)3. 1 SSID with dynamically assigned VLAN (Radius)

4. Radius doing authentication based on group membership and assigning VLAN (101 or 102)

5. VLAN 101 and 102 tagged on switchports in the ProCurve 5406/2910 connecting to the APs and the MSM760 LAN Port


We would much rather have

1. switch ports for APs untagged with just a dedicated management VLAN

2. use "client data tunnel" to tunnel all data from APs to controller

3. Combination of SSID (Called-station-ID) and user group determine if access is allowed
I just can't wrap my head around the correct way of doing this. I've read the MSM Implementation guide a couple of times, but can't seem to get any closer to a working setup and would very much appreciate some assistance.