ePSK and VLANs

We are getting ready to deploy an ePSK solution in a small boarding house. Our router has 25 VLANs (one for each apartment). We created 25 users in the ePSK and each user has its own VLAN attached to it. We added that WLAN to the Wifi AP group for that location. The problem is, we get an error under AP Groups -> Configuration -> Network when we try to change the Ethernet port to "Trunked Multiple VLANs".  We get "changes could not be saved as the profile is invalid".  Our management VLAN is 1 and all the others are tagged. Whatever we do to the options below, it fails to save. We must be missing something obvious...

This error will pop-up when there is a wrong/unsupported entry in the Network configuration. There are other parameters also (DHCP Pool/PPPoE/Tunnel etc..) which uses the same tab to save the configuration. Please maximize all the configuration tab and check whether any entries are missing or wrongly configured. 




if device are managed from cloud, please send cambium invitation to cie001@cambiumnetworks.com with admin privilege, we shall be able to resolve it 

1 Like

Permission given. The AP Group is: 815 16th Street

However, I think we got it fixed. It looks like burried in "PPPoE", my email address was being auto populated into the VLAN field. No idea why Chrome wanted to do that and since it was rolled up (we never expanded PPPoE), we never saw that. Really confused why chrome tried to auto populate that one random field...


good to hear that we are able to resolve the issue.

Maybe a password manager?

Revisiting this topic. We are ready to deploy an ePSK site and in our tesitng, all the passwords work but none of the VLANs are working. Each password has a different VLAN associated with it - basically each room of this 27 room boarding house has a dedicated VLAN and password. I know the VLANs are working and tagged to the APs but all passwords get an IP off the default VLAN. Clearly a configuration issue but I don't see where.

In my config -> network for the AP group I am allowing all 27 VLANs:

For the WLAN setting, I have to set a default VLAN but figured that would be overridden:

And, here are my settings for ePSK for this WLAN:

You need to add your VLANs to your AP Groups (example below). Everything else looks correct.

Well, I tried that. All that happened is both APs grabbed 27 more IP addresses - one from each VLAN - but the users still got a VLAN 1 IP no matter what password we tried. Is there a way to keep the APs from grabbing an IP from every VLAN?

Can you let us know which AP you are trying this, is it a E410/E600/E430 or E400/E500. As I understand you are running an external DHCP server which is supposed to provide IP address for clients in those VLAN's. You have mentioned that clients are getting IP address from default VLAN 1 but what is the VLAN shown in the wireless client stats? Does that also show as VLAN 1? If stats shows the right VLAN then you want to take packet capture on wired side and see if you get the DHCP Discover packets with the correct VLAN tag and if all VLAN tag turns out to be correct then you will have to debug on your DHCP server on why it's giving IP address from VLAN 1 Pool. Have you also configured any DHCP relay in your network?

These are e400 devices. We are running an external DHCP server on a Mikrotik router on the same local network as the APs. I'll go back out and test what VLAN ID is shown in the wireless client stat. The VLAN given is defiantely VLAN 1.  

When I add all the VLANs to the Configuration - Network - VLANs tab for that WLAN, both APs pull an IP from every VLAN (each AP has 28 IP addresses, one on VLAN 1 and then VLANs 101-126). So, that tells me the DHCP server is working and the VLANs are programmed and tagged properly going to the APs.

No DHCP relay in the network. It is very simple with one router and 2 APs plugged directly into the routers LAN side.

Looks like the beta firmware (3.11.3b10) fixed the VLAN issue with our E400 APs.