No, I'd like to know how to set this up without the controller being the DHCP server.
I'm asking more of a design question, not a "how to" question. I'm not looking for a workaround; I want to understand how every bit of it works so that if our customers ask how to do something, or if it can be done, that I have an answer. "Just use the controller's DHCP server" isn't always going to fly.
From a lot of experimenting, I've found a few facts that are necessary to support HTML-based authentication. (Disclaimer: I still haven't succeeded in setting this up yet, due to other unrelated problems.)
- The LAN port must be the gateway for the Guest VSC's subnet.
- If the Controller is now to be used as the Gateway for a subnet, it needs another interface to send the traffic it's routing to. Otherwise from a routing perspective it's a leaf. So the Internet port has to be used also, with a default route in the controller pointing to the Internet port's next hop.
- Use the LAN port's "management" IP address to number the Controller, and have a DHCP scope somewhere in the network for that subnet for the APs' own management IP addresses.
- In the end, you end up with 3 subnets/VLANs:
1 -- Internet port to the outside world gateway (Internet port)
2 -- Controller/AP management (LAN mgmt IP address)
3 -- Guest VSC / wireless clients (LAN port main IP address).
While you could use the Controller for DHCP, so far I've found nothing that indicates you have to, and some IT managers might not want to.
HTML-based authentication shouldn't be hard, but it's quite a wiggle if you want a separate subnet, VLAN and DHCP scope for the guest VSC wireless clients, that does not include any IP address that belongs to the Controller itself. Imagine that!
thanks,
noemi
