Problem solve Get help with specific problems with your technologies, process and projects.

Implementing a split VLAN wireless infrastructure

We are implementing a wireless infrastructure and we're proposing a split VLAN structure. Do you have any suggestions?

We are implementing a wireless infrastructure. We are proposing a split VLAN structure, meaning an authenticated access and internet only. Once a wireless user is determined to have internet only access, we want them forwarded to a disclaimer website prior to being given internet access. Any suggestions?
There are two common methods of doing what you want. One is to make the decision at the access point, and the other is to make the decision at a wireless gateway/switch.

To make the decision at the access point, you'd use an AP that supports VLAN tagging based on SSID. You'd define one SSID for unauthenticated Internet access (VLAN #1), and another SSID for authenticated private network access (VLAN #2). You'd need to connect your APs to a VLAN-capable switch to relay VLAN #1 traffic in one direction, VLAN #2 traffic in the other direction. You'd send VLAN #1 traffic through a web portal, for example NoCatSplash, to display your disclaimer page.

To make the decision at a wireless gateway/switch, you can use any AP and one or more SSIDs (depending on your desired link layer security architecture). The gateway/switch will be responsible for acting as the web portal, displaying a login page, letting guests "click through" without authenticating, providing real user authentication for others, and enforcing role-based access control. Many wireless gateways and switches can also apply VLAN tags based on authenticated role. Andy Dornan wrote a nice overview of WLAN gateways and switches for Network Magazine; you'll find plenty of vendor product URLs there.

Dig Deeper on Mobile networking

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The NoCatSplash link is broken.