EasyPass Onboarding with separate VLAN for each user

barmstrong · April 13, 2020, 6:52pm

Hello,

I am trying to set up a WiFi network for an application where multiple users will require connectivity to the same SSID and isolated from each other. I will explain further;

This dorm will house many different individuals coming and going, some for a week, others for months.The total user count could exceed 50 x 3 devices each at any given time. The thought was to create a single SSID for all users. The users would log in using the EasyPass Onboarding portal giving each user a User-PSK. This would allow us to manage user accounts without giving each guest a generic passcode. The only issue with this configuration is that every user will be on the same network.

Any thoughts on a way we can segregate each client on a separate "network" while using the same SSID?

andrewdietzel · April 14, 2020, 12:18pm

What you’re trying to accomplish is certainly possible and my organization is currently doing it in production, just on a smaller scale with more like 3 or 4 VLANs rather than 50+. Here’s how we do it:

Management VLAN = 10.1.1.0/24 with a gateway of 10.1.1.10

User A = VLAN 51 = 10.1.51.0/24 with a gateway of 10.1.51.10
User B = VLAN 52 = 10.1.52.0/24 with a gateway of 10.1.52.10
User C = VLAN 53 = 10.1.53.0/24 with a gateway of 10.1.53.10
etc.

We use 802.1x RADIUS authentication to dynamcailly assign VLANs based on user credentials.
We use a free, opensource, third party product called PacketFence (https://www.packetfence.org)
PacketFence allows us to create connection profiles and roles that specify:
If username = User A then assign role VLAN51
If username = User B then assign role VLAN52
If username = unknown then assign role REJECT

All users connect to the same SSID with a unique username and password.

To keep each VLAN private, we setup rules on the gateway to block traffic between each VLAN. For example, you’ll need to allow a minimum of things like ports 80, 443, DNS, and DHCP to pass from the user VLANs to the management VLAN, but you’ll block all traffic between user VLANs. User’s personal devices will be able to communicate with eachother on their privite VLAN for file sharing, wirless printing, Chromecast, Apple TV, etc. but each user VLAN will be isolated from all other user VLANs.