• November 17, 2019, 11:16:20 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Juniper WLC Different SSID's/Auth Methods In The Same VLAN/subnet  (Read 6456 times)

0 Members and 1 Guest are viewing this topic.

Offline bylie

  • Sr. Member
  • ****
  • Posts: 149
Hi,

We've been using a couple of Juniper WLC's for some years now and due to a big reorganisation we're also going to need to change our network addressing. We're currently using 1 VLAN/subnet per type of SSID, like such:

- SSID: secured (802.1X) => VLAN_secured
- SSID: public (captive webportal) => VLAN_public
- SSID: eduroam (802.1X) => VLAN_eduroam

In the new network plan it's the idea to have 3 types of users (A = most trusted, B = less trusted/BYOD, X = guests) whether they're connecting wired or wireless. We were thinking of just carving out a VLAN/subnet per type of user (and doing this per site) and, in certain cases,  dynamically assigning them to an SSID as necessary:

- SSID: secured (802.1X) => VLAN_type_A (staff) or VLAN_type_B (students)
- SSID: public (captive webportal) => VLAN_type_B (staff or students) or VLAN_type_X (guestaccounts)
- SSID: eduroam (802.1X) => VLAN_type_X (staff, students or eduroam guests)

Is this sort of setup possible because we're basically going to have users from different SSID's and with different authentication methods in the same VLAN's/subnets in certain circumstances? We're going to treat them as the same type of users, it's just their method of authentication that's different. Are there any disadvantages in doing a setup like this? Our first thought is that this sort of setup should be possible because configuration parameters such as auth methods, ACL's, captive webportals, QoS settings, ... are associated with the wireless service (or SSID) and not directly with the VLAN.


Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3840
    • michaelfmcnamara
    • Michael McNamara
Re: Juniper WLC Different SSID's/Auth Methods In The Same VLAN/subnet
« Reply #1 on: January 17, 2013, 11:30:38 AM »
Hi bylie,

I don't see anything "wrong" with it... but I know that every organization does it a little different which is fine as long as it addresses their needs and wants.

Cheers!
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline Jeroen

  • Full Member
  • ***
  • Posts: 56
Re: Juniper WLC Different SSID's/Auth Methods In The Same VLAN/subnet
« Reply #2 on: January 24, 2013, 03:23:04 AM »
Hi Bylie,

As Michael mentioned, there will not be an issue applying this new design.
Technically it's not a problem to accomplish. From a security perspective, I would recommend to assign users with the same type of authentication and encryption to one VLAN, especially your secure (internal) one. If you do allow a combination of multiple authentication or encryption methods, your weakest link regarding your network/data security will be the less secure method being used.
You are right about the settings being related to the service profile. You can assign, for example, your QOS settings to different service profiles to maintain prioritization throughout all your WLAN VLAN's.

Good luck!

Offline bylie

  • Sr. Member
  • ****
  • Posts: 149
Re: Juniper WLC Different SSID's/Auth Methods In The Same VLAN/subnet
« Reply #3 on: January 25, 2013, 02:33:06 PM »
From a security perspective, I would recommend to assign users with the same type of authentication and encryption to one VLAN, especially your secure (internal) one. If you do allow a combination of multiple authentication or encryption methods, your weakest link regarding your network/data security will be the less secure method being used.

What would be the advantage of creating multiple VLAN's for essentially the same network accesslevels but only different authentication methods? They're the same users which would get the same privileges so I don't really see the advantage of putting them in different VLAN's unless I'm missing something. As you can see in the opening post we're currently doing it this way, but when we set this up it was more a way of having enough IPv4 space. That issue is addressed in the new design by using a /20 or doing VLAN pooling if needed. The users are also separated by layer2 filtering (client isolation) and broadcast suppression.

Offline Jeroen

  • Full Member
  • ***
  • Posts: 56
Re: Juniper WLC Different SSID's/Auth Methods In The Same VLAN/subnet
« Reply #4 on: February 11, 2013, 02:45:32 AM »
This can be considered when using different type of authentication. For example I've separated the EAP-TLS from the PEAP authenticated clients by assigning them a different VLAN. These can be secured from eachother which is more easy when these users are separated by different VLAN's. In other words, you can limited the access to specific resources for PEAP authenticated users.
PEAP has it security weakness that EAP-TLS doesn't have. For example anyone with a valid account can connect his own private (unsecured) device within this VLAN, which can be a potential security threat.
If it is pure a IP-address resource issue you are concerned about, you can also use VLAN pooling as you mentioned.