HPE Community
M and MSM Series
1751971 Members
4646 Online
108783 Solutions
New Discussion

Re: MSM Deployment Scenario - How To Guide

 
Georgeisaac
Advisor

‎09-07-2013 12:13 PM

‎09-07-2013 12:13 PM

Re: MSM Deployment Scenario - How To Guide

Hi,

 

Excellent guide...will help me a lot in deployments..

 

Can we do cerificate with usename /password authention (two factor auhentication) with MSM controller ?

 

 

Regards

 

George

0 Kudos
JesseR
Regular Advisor

‎09-09-2013 09:19 AM

‎09-09-2013 09:19 AM

Re: MSM Deployment Scenario - How To Guide

I want to make a small addendum to the information in this guide...

With the 6.0.x firmware, ACLs/attributes will NO LONGER WORK if the tunneled guest traffic routes back out through the LAN port (this can happen in some cases - DEPENDING on your routing configuration within the MSM. I learned this recently after upgrading some of my customer controllers from 5.7.x to 6.0.x. Whereas previously, based on the ACLs/attributes, tunneled traffic on the guest VSC no longer had access to the specific locations (for example, an internally hosted website) that were allowed via the attributes.

Again, in most cases ACLs/attributes will continue to work, except when that traffic is destined for specific locations (via ACLs/attributes) and based on the controllers Routing tables, is pushed out the LAN port.

This is something new in 6.0.x code. I guess it's a bit 'tighter' of a security configuration.

Also, one quick mention....in the guide, I mention TAGGING each AP at the switch port level for the guest VSC and VLAN. This is NOT really necessary IF you always tunnel that traffic through the controller anyways. Really depends on your setup...


George, are you referring to 802.1X EAP/TLS which uses both a certificate and computer/user authentication? If so, yes. I have done that for customers in the past.

Regards,
JR
Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

0 Kudos
Georgeisaac
Advisor

‎09-16-2013 12:52 PM

‎09-16-2013 12:52 PM

Re: MSM Deployment Scenario - How To Guide

Hi,

 

Thanks for your kind reply..

 

For Access controlled users ,when you are doing egress VLAN doest it require to tag internet port wiith that paricular VLAN..? or will it work with untagged as per design guide..

 

How we configure if multiple access controlled vlans are required..?

 

Can I do dynamic VLAN assignment in access controller users..One SSID but users should maped as per radius attributes..? is it required to configure multiple IP adresses in Internet port..?

 

I am confused..Please help..

 

Regards

George

 

 

 

 

0 Kudos
JesseR
Regular Advisor

‎10-21-2013 09:05 AM

‎10-21-2013 09:05 AM

Re: MSM Deployment Scenario - How To Guide

George,
For access controlled VSCs, you do NOT have to have the AP tagged for that VLAN. I used to do it that way, but I don't anymore...

You can configure multiple access controlled VSCs on the same controller. I have done that on occasion. However, doing that changes the way I typically deploy the MSM controllers. If I need to deploy, for example, (2) different access controlled VSCs, and have each on a different VLAN, then I will NOT assign an IP address to the Internet Port of the controller (which is the default way controllers are setup). Instead, I will do the following (for example):

- From the Network|Network Profiles page, I will create my two profiles, GuestA (on VLAN 30) and GuestB (on VLAN40)
- From the Network|VLANs page, I will set GuestA as Mapped to the Internet Port (tagged).
- From the Network|VLANs page, I will set GuestB as Mapped to the Internet Port (tagged).
-From the Network|IP Interfaces page, I will remove ALL IP addressing from the Internet port itself.
-From the Network|IP Interfaces page, I will add a New Interface for GuestA and assign it an IP address on that VLAN as applicable.
-From the Network|IP Interfaces page, I will add a New Interface for GuestB and assign it an IP address on that VLAN as applicable.
-On the Switch, I change the actual port where the Internet Port is plugged into from Untagged to Tagged on both VLAN30 and VLAN40.
-From Network Tree|Controller|VSC, I will select the GuestA VSC, and then navigate to VSC egress mapping and select the applicable Mapping for all three traffic types.
-From Network Tree|Controller|VSC, I will select the GuestB VSC, and then navigate to VSC egress mapping and select the applicable Mapping for all three traffic types.

I have never yet done dynamic VLAN assignment based on specific users or RADIUS but I believe it can be done.

Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

0 Kudos
Georgeisaac
Advisor

‎10-21-2013 11:14 AM - edited ‎10-21-2013 11:15 AM

‎10-21-2013 11:14 AM - edited ‎10-21-2013 11:15 AM

Re: MSM Deployment Scenario - How To Guide

Thank You Jesse !! You rocks.. !! :)

 

I shared your excellent config guide link in my blog :)

 

Regards

 

George

www.newdaywireless.wordpress.com

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.