Simple wireless question


I have HP msm 720 wifi controller and few Access Points. Access switches are also HP.
One subnet is on 64 vlan. Egress network on MSM controller for a particular SSID is set to network profile which is associated with vlan 64.
The thing is that on access HP switch I forgot to enter command VLAN 64 (just globally vlan 64 was not enabled)

When users tried to connect to ssid associated with vlan64 they did not get ip address from DHCP for vlan 64.
But strange is that if they manualy entered ip address for vlan64, they got the internet connection. But remember that switch do not know about vlan 64. 

So how to explain this behaviour? Does packets somehow got untagged? But i always thought that if i'm connecting to wifi SSID, then i'm in particular vlan for that SSID, so even with manual IP switch should drop packets.

When you configure an SSID on the MSM controller, there are check boxes in Global - use controller for: authentication and access control.

When only Authentication is checked, the controller tells the the AP to allow traffic on the local switch port it is connected to. Your radius server must tell the AP which VLAN to use for that user. The AP & switch must have that VLAN configured. When authenticated, user traffic goes from the AP to the switch to the network. DHCP requests go to the router or DHCP server on that VLAN.

When  access control is also checked the traffic is routed back to the controller through a secure tunnel, then sent to the network from the controller's LAN port. Then out the egress VLAN configured on this port.

To use the egress network setting on the controller, you have to check both.  You may have to use the DHCP server option on the controller as well, because not sure if it relays DHCP requests.

If you used the option to set egress network then you had both checked, so your traffic went back to the controller, not through the switch, so not setting VLAN64 on the switch had no effect.

Been a while since I configured my MSM network - I only use the AC mode for guest networks so they would not see my DHCP server anyway