HPE Community
M and MSM Series
1752579 Members
3031 Online
108788 Solutions
New Discussion юеВ

Re: MSM's - Various Issues - ARGH

 
Paul Woolnough
Occasional Contributor

тАО10-25-2010 08:09 AM

тАО10-25-2010 08:09 AM

MSM's - Various Issues - ARGH

There seems to be quite a lot of confusion on these forums around setting up elements of the MSM's.... I am one of the people who is confused!

Am desperately trying to get guest access set up and the MSM 765zl controller does not even bring up the HTML login screen. I have set the controllers up in standalone configuration (rather than teamed) with all AP's on the internet port. The LAN port is connected to the internal network with the guest VLAN tagged to the port. Don't believe there are any routing or VLAN issues....

Am running software 5.4.1.0-01-9131.

Additionally has anyone got any thoughts on the following;

Best place to put ACL for guest access - either on VLAN interface on switch or on controller

When setting up Active Directory auth I wanted to allow potentially different access for users based on AD group membership. Do I need to setup RADIUS access for this? If anyone has found any good guides on setting this up it would be really appreciated....

Really appreciate any support.

Thanks, Paul Woolnough
0 Kudos
5 REPLIES 5
Srinivasalu.r
Advisor

тАО10-25-2010 08:29 AM

тАО10-25-2010 08:29 AM

Re: MSM's - Various Issues - ARGH

Hi Paul,

As you mentioned that Lan port is connected to internal network,pls don't connect the Lan port to internal network.

connect Internet port to inter network & all Ap's sholud be discover thro this port.

for guest users asign vlan ip to Lan port,enable DHCP in controller for guest users & we can put ACL in Controller.

For AD authentication we require radius server.
i will send u the URL for doc ASAP
0 Kudos
Paul Woolnough
Occasional Contributor

тАО10-25-2010 10:13 AM

тАО10-25-2010 10:13 AM

Re: MSM's - Various Issues - ARGH


Many thanks for your very quick reply - I had seen some diagrams indicating that I may have the interfaces round the wrong way with regard to AP management but the design guidelines were not conclusive.

The current MSM is configured as follows, VLAN's 496 and 498 which are guest networks on LAN port - so this is where the traffic exits the MSM (e2 below). These are tagged to LAN port - you mention that the LAN port shouldn't be connected to the internal LAN but then state to enable DHCP on the LAN interface for guests (which is what I have done). Are you suggesting that these should be connected to a non routed switchport?

I'm obviously being a bit dense... :-(

The only other thing to add is that the default route points to the core switch via the LAN interface with a specific class C for AP mgt via the Internet port. Are you suggesting that I have essentially got the D.G. in the wrong direction and that guests would enter the MSM on the LAN port and the egress would be the internet port?

Be great if you could mail me that link or post it on the forum. Thanks again



E1HP8201# show vlan port e1 (Internet port)

Status and Counters - VLAN Information - for ports E1

VLAN ID Name | Status Voice Jumbo
------- -------------------- + ---------- ----- -----
497 CN-WirelessAPMgt | Port-based No No


E1HP8201# show vlan port e2 (LAN port)

Status and Counters - VLAN Information - for ports E2

VLAN ID Name | Status Voice Jumbo
------- -------------------- + ---------- ----- -----
496 WirelessGuest | Port-based No No
498 WirelessGuest-SL | Port-based No No
499 *** Management *** | Port-based No No
0 Kudos
Srinivasalu.r
Advisor

тАО10-25-2010 08:32 PM

тАО10-25-2010 08:32 PM

Re: MSM's - Various Issues - ARGH

Hi Paul,

Pls find the link to download the document.

http://cdn.procurve.com/training/Manuals/MSM7xx-MCG-Apr10-5998-0308-v54.pdf
0 Kudos
Trevor Commulynx
Regular Advisor

тАО10-26-2010 12:18 AM

тАО10-26-2010 12:18 AM

Re: MSM's - Various Issues - ARGH

Hi Paul,

You can configure Guest networks in the LAN interface, also you dont need Radius, you can talk nativley to AD to authenticate you internal users. but, I always recommend Radius as it means you can utlise dynamic VLANs, rate limiting etc per connection.

if you configure the controller to issue DHCP on the LAN port and always tunnel client traffic to the controller, you do not need to configure DHCP scope on your LAN interface. if your Guest network is assigning DHCP, the HTTP Intercept will work.

I always use the LAN port, and just get smart with my VLAN's with IP unumbered interfaces.

if you log into the ProCurve site and download the config examples for the Guest network with a MSM it will give you a good Idea of how you can do things.

Trev.
0 Kudos
Troy Jollimore
Advisor

тАО10-26-2010 05:14 AM

тАО10-26-2010 05:14 AM

Re: MSM's - Various Issues - ARGH

You're taking things a bit deeper than I'm familiar with, but your questions are on-point. The MSM controller looks to be designed to sit right at the network edge, feeding directly out to your Internet router/gateway. All of the 'normal' documents point to this.

I took that as a cue to keep things running in that direction, from LAN port TO Internet port, which was interesting since I don't use VLANs or subnets yet in my 'small' network. Give it a try and see if it works any better for you.

The only other configuration method I've seen is what Srinivasalu mentioned, and it's in another thread. Connect everything only to the Internet port and use it as a 'Router on a Stick' configuration.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.