I have recenlt purchased a PA-500, waiting for it's delivery and have yet to set one up in anything other than vwire mode.
Our wireless has two SSIDs. Each SSID has it's own vlan and DHCP server. Problem is the students have become wise enough to switch to the guest SSID. When they swicth to the guest their IP goes from 10.1.x.x to 10.64.x.x. 10.64.x.x. has no access to the DCs. My guess is that the PA will lose track of the User ID because of the IP address change.
One option I have is to set the guest wireless to use our internal DHCP/DNS and the same vlan. The wireless controller (ruckus) separates the guest traffic from the internal network via ACL controls (other than DNS and DHCP) so that the only IP the "guests" can see is the gateway. Point being that even if the students switch to the guest network their IP address should stay the same even though their traffic is completely segmented from the DCs/Exchange/etc.
Question is: Will the UserID work as long as the Users IP address does not change even though the users computer can not get to the internal network?
PS Students are using OS/X laptops.
I believe once they're mapped, the mapping will stay that way even if they can't access the internal network, but there is a timeout that will eventually happen and they will no longer be mapped.
From the situation you've laid out, I think captive portal for your guest network would be of great use.
Captive Portal will redirect all unknown (non-mapped) users to a login page, forcing the person to login before they can browse the web. This way every user on your guest network will remain mapped.
There is documentation and articles in our KnowledgePoint section of the support portal that can help with configuration.
Thank you for your suggestions. Our situation is quite complex (for such a small environment), I won't bore you with the details, but bottom line the guest network is to be left wide open except for app filtering and URL filtering.
Sounds like my plan should work!
Also note that if you are using Captive Portal for a internetaccess network (well any network for that matter but as an example) I would strongly suggest you to use Protected VLAN along with DHCP Snooping (with Option82) in your access-layer.
With Protected VLANs the clients are separated from each other (otherwise one client could steal another clients credentials so the wrong person is being blamed at, for example for pr0nsurfing or filesharing or whatever) - dont forget to use Private VLAN on the aggregations to keep the isolation between clients all the way until the PA box.
The point of DHCP Snooping (with Option82) is to block rouge dhcp-servers but also to get a log of the physical location of the client (which switch and which interface on the switch that this particular client was connected to).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!