M and MSM Series
1748153 Members
3690 Online
108758 Solutions
New Discussion юеВ

Re: MSM775 Access Control Multiple sites

 
Dan-at-Dixon
Occasional Contributor

MSM775 Access Control Multiple sites

We have a MS775 controls all of our sites' APs. What we need to do is handle access control for VLAN 9 (Public Inet). When setting up a test SSID, disabling auth and ac will render an IP - but when checked, it will not. 

DHCP forwarding is an option, but won't that affect ALL the sites? (vlan 9 is local to each individual site)

 

Any Ideas how to get AC working in this scenario?

7 REPLIES 7
Ian Vaughan
Honored Contributor

Re: MSM775 Access Control Multiple sites

Howdy,

Are you trying to :

A) aggregate all of the "public" traffic from each of your sites and bring it together (i.e. tunnel it back) into a "super-network" at your main site behind the wireless controller?

Or

B) provide a "secured" pass-through network on each site such that "public" traffic on each of the remote sites can access a local internet breakout?

Or

C) Something completely different again. :-)

A is way easier to manage and B keeps public traffic off your WAN backbone. There are pro's and cons each way.

What hoops do you wish the public to jump through in order to gain the free internet access?

Where is your DHCP service - is this the "built-in" service of the controller itself?

Thanks

Ian

 

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
Dan-at-Dixon
Occasional Contributor

Re: MSM775 Access Control Multiple sites

I think what I am looking for is more along the lines of your example, B. 

I want to be able to HTML authenticate with Access Control at the controller, but after authentication, the clients will use the local Internet connection for access.

Dan-at-Dixon
Occasional Contributor

Re: MSM775 Access Control Multiple sites

Q: What hoops do you wish the public to jump through in order to gain the free internet access?
A: Just HTML Authentication

Q:Where is your DHCP service - is this the "built-in" service of the controller itself?
A: DHCP service is provided by a SonicWall located at their site.

Thanks,
  Dan

Ian Vaughan
Honored Contributor

Re: MSM775 Access Control Multiple sites

Howdy,

Just to level set:

Have you tested that the trunked link into the AP is properly delivering vlan 9 as a tagged network on the trunk? If you were to plug a mini switch into where the AP lives and the switch had a trunk and an access port in vlan 9 would the client get a IP address in the right subnet from the sonicwall?

Thinking about it I'm sure there was a rule about if you want to break-out locally you have to use a non-Access-Controlled VSC. Access controlled means the traffic gets back-hauled to the controller (and then uses the egress VLAN aligned to the VSC or follows the defaults to push traffic out of the box).

There is a "VSC Data Flow" diagram in one of the manuals - it was MSM Controller Config Guide or suchlike.

There is also a useful chart entitled "Trafic Flow for Wireless Users" that will help.

If we need to think outside the box, what ethernet switch have you got behind the AP providing the trunk? - a lot of the Comware ones can do a per-session HTML user login or a portal redirect but how would you centrally manage that function?

Might be better to aggregate all of that public traffic into a single pool behind the controller (you can always rate-limit it across the WAN) and egress it all from one place.

HTH

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
Dan-at-Dixon
Occasional Contributor

Re: MSM775 Access Control Multiple sites

Ian,
  Thank you for getting back to me -

Yes, VLAN 9 is working correctly. I currently have the production-side of everything working and everyone is able to connect at the sites and the like successfully without AC.

 On the VSC profile, there is an option to egress Unauth, Auth and Intercepted traffic to different VLANs - if Each of our locations has VLAN 7 as a break-out, if I were to set the egress to VLAN 7, would that push traffic out on VLAN 7 at that location?

We have sites located all around the country, some of which with limited bandwidth as it is; including our main hq. Piping all the public traffic through the controller and out our internet connection is not really logical, in my opinion.

 I will try to locate the manuals you're referring to - hopefully theyre online somewhere.

Thanks,
  Dan

Ian Vaughan
Honored Contributor

Re: MSM775 Access Control Multiple sites

Howdy,

Have a look here - http://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/public/psi/manualsResults/?sp4ts.oid=3963981&spf_p.tpst=psiContentResults&spf_p.prp_psiContentResults=wsrp-navigationalState%3Daction%253Dmanualslist%257Ccontentid%253DUser-Guide-%252528how-to-use%252529%257Clang%253Den&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

Controller config guide at a whopping 17MB should give you a few clues!

The study Guide book from HP(E) press for the old HP0-Y44 "HP ASE Wireless Networks" is crammed full of this stuff and is maybe worth picking up secondhand.

I see the code has moved on a bit and picked up a few more options. Maybe I need to blow the dust off and update my MSM760 test rig :-)

If you are on the latest 6.6.2 code at least you will be as up to date as you can be

Kind regards

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
Arimo
Respected Contributor

Re: MSM775 Access Control Multiple sites

"If you are on the latest 6.6.2 code at least you will be as up to date as you can be"

Nope... current code is 6.6.4 (look under Maintenance releases), and 6.6.5 is expected in a few weeks...


HTH,

Arimo
HPE Networking Engineer