Single SSID w/ 1000+ Clients

I'm working on setting up a single guest access SSID on a Cisco 5508 WLAN controller for clients to use on our campus.  When dealing with 1000+ clients, there are segmenting options such a single large subnet (/21 or so), AP groups w/ smaller subnets, and interface groups with smaller subnets (VLAN Select feature).  Which method is considered best practice?  Is there a "magic" number of clients where you would want to start using multiple smaller subnets instead of single large one? 

How it works is you have a single wlan. Today you select a single dynamic interface for that wlan. If you create an interface group you add multiple dynamic interfaces to the interface group. You then select the interface group to the wlan rather than the single dynamic interface you do today. As clients connect they round robin through the dynamic interfaces you selected for the WLAN.
Make sense?
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Similar Messages

  • ISE Single SSID BYOD - Windows Endpoint user experience

    We are implementing wireless BYOD using Cisco ISE 1.2 and WLC 7.4x. We are using PEAP / MS-CHAP v2 for wireless security. We are able to on-board iOS, Adroid, and MAC OS endpoints using single SSID and Native supplicant provisiong seems to work fine with these endpoints. We are having issues with Windows clients. On Windows client, when the user selects the SSID, it is prompting for userid/password, but never gets a pop-up for server certificate. We are using a third party public wildcard certificate on ISE for HTTP/EAP authentication.  On ISE, we are getting: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client.                

    12511
    EAP
    Unexpectedly   received TLS alert message; treating as a rejection by the client
    While trying to   negotiate a TLS handshake with the client, ISE received an unexpected TLS   alert message. This might be due to the supplicant not trusting the ISE   server certificate for some reason. ISE treated the unexpected message as a   sign that the client rejected the tunnel establishment.
    Warn

  • Dynamic vlan assignment with single SSID

    Hi All,
    I have 300 APs deployed  and  concurrent client associations that number 3000+ daily
    at the moment I have a single subnet for all users, there is no authentication just a click through
    page with email entry to gain access.
    The APs are assigned to groups based upon the building zone they are in, is it possible to
    assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
    TIA

    You can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
    In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
    Sent from Cisco Technical Support iPhone App

  • Single SSID & DHCP

    If possible, how would a Single SSID on a Aironet AP be able to provide LAN access to two different subnets?
    I beleive a routing (router) needs to be present to route between two subnets.
    In example,
         SSID "Visitor" can send IPv4 mobile devices to either subnet 192.168.1.0 or to subnet 10.0.0.0
    Thank you!                  

    yes its is possible using dynamic VLAN assignment using ISE or ACS. 
    Plus that mode normally works if you want to group multiple APs (placed in different places) and you want that when ever client move to any locaiton SSID remain same but behind the scene VLAN changes, even the security can be same.
    Hope this helps.

  • Multiple Passphrases for a Single SSID ?

    We are getting ready to deploy a special SSID for handheld devices to be used on.
    Is there any way to have multiple passphrases for a single SSID ?  The reason I am looking at this is that we may have users who come into one of our offices and may not have gotten/received the email advising of the passphrase change.  My hope would be that we could implement Passphrase A when we initially deploy the new SSID and then in say 3 months, change the password.  We would like to leave the Passphrase A active for about a week which should be sufficient time for them to change it and then we could delete Passphrase A, leaving only Passphrase B active.  In WEP there was something like this but I dont see this as an option in WPA2.  Unfortunately with some of the devices that I have looked at, WPA2 Enterprise isnt an option, so that is why I am looking at things from this perspective.
    Any suggestions would be appreciated.
    Ron

    Hello Ronald,
    No you cannot have multiple passphrase or WPA-PresharedKey for the same SSID.
    Thank you,
    Serge

  • Cisco ISE 1.1.1 - Single SSID

    I'm working on our ISE implementation and these are my two goals.
    1.  Single SSID for BYOD users and corporate managed systems.
    Login to the NAC agent if not part of the domain (EX: windows laptop not part of the domain joins the SSID, goes through the self service portal, downloads NAC agent, must login to NAC agent whenever joining network with AD credentials)
    AD login required to join this SSID, no guests allowed
    2.  Guest SSID
    Guest login only - requires sponsor
    web agent required for windows machine
    AV required
    Current AV definitions required
    Are these goals attainable or am I better to go in a different direction is my first question.
    Second, using the Cisco BYOD Smart Solution Guide (link at bottom of post) it mentions the single SSID as not being a complicated component but it only runs through the dual SSID solution, what settings are needed for a single SSID? I'm using Open + MAC Filtering but when the supplicant attempts to connect it doesn't work because it's looking for a WPA2 network with the same SSID name.
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html
    Single SSID is specifically mentioned here:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html#wp504735

    David,
    What the documentation did was that it created a condition which does the check for the ssid in the access-request:
    Guest_Authz is a user-defined simple authorization condition for guests  accessing the Internet via Web authentication through the WLAN  corresponding to the open guest SSID. It matches the following RADIUS AV  pair from the Airespace dictionary:
         Airespace-Wlan-Id - [1] EQUALS 1
    So that when the user connects to the network they are connecting through the guest ssid in which this has the wlan id of 1. Either you can do that in your authorization rule right in the screenshot or you can create this condition under the policy elements tab.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE and Selfservice with single SSID

    Hi, i have:
    WLAN 2504 Controller with 7.2 Software
    ISE 1.1.2
    A single SSID with 802.1x Authentication
    Today the wireless users are authenticated against an cisco acs. I want to switch to the ISE and make use of the mydevices portal. I want to re-use my single SSID and don't want to make any provisioning.
    - The user connects to the single SSID
    - The user configures peap authentication on his device
    - The user authenticates to a ldap directory with username and password
    - After successfull authentication the user will be redirected to the mydevices portal
    - he logs in with his ldap credentials
    - the mac address of his current device is listed in the mydevice portal
    - user adds his device to the known devices list
    - manual reconnect to my ssid
    Is this possible with ISE? Is there a howto out there with exact this scenario?
    Kind regards

    Hello Andreas,
    WLC 2504 supports CWA, CoA & dACL.
    This wireless controller also supports MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like. So it should fulfill your requirement and you can use single SSID.
    For more detailed help review “Universal WLC Configuration Guide” & “ISE 1.1.x Network Component Compatibility” at the following location:
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf
    http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
    Regards,
    Ashok

  • Tuxedo 8.1 single context multithreaded workstation client

    We just moved to Tuxedo 8.1 from Tuxedo 7.1. One of our appications has started to fail. This particular application is a single context multithreaded workstation client. All Tuxedo operations are performed from the same child thread. The BEA documentation is a little confusing on this topic. Are we required to use the multi context flag?

    It should not be necessary to use the TPMULTICONTEXTS flag for a
    single-context client, even if it is multithreaded. What is the nature of
    the failure that you are seeing?
    <Jacque Cole> wrote in message news:[email protected]..
    We just moved to Tuxedo 8.1 from Tuxedo 7.1. One of our appications has
    started to fail. This particular application is a single context
    multithreaded workstation client. All Tuxedo operations are performed
    from the same child thread. The BEA documentation is a little confusing
    on this topic. Are we required to use the multi context flag?

  • Large Subnet for single SSID

    I am looking for a design guide to help me split up a large subnet for a Cisco Wireless network.  We have a Campus with a centralised Wsim and a single SSID.  We are hoping to be able to keep the single SSID but split the subnet as it is now quite large and we would like to reduce the broadcast domain to a manageable size.  I have found a number which have different SSID but we would like to keep only 1 as it simplifies the user experience. 

    Adding to Scotts post.  If you are doing 802.1x you can use dynamic VLAN assignment to achieve the results as well.
    AAA returns attributes 64/65/81 to the WLC, to change the VLAN the user gets put into.  You do still need to create the dynamic interfaces on the WLC.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Binding multiple VLANs to single SSID on WLC

    I have a building with over 4000 users and would like to bind multiple VLANs for user access to a single SSID in WLC. Can this be done? I would rather not have 4000 wireless users on a single VLAN.

    the question is tough. You can not use the SSID in on AP for multiple vlans. Once you assign the AP to the vlan then you will have to make all traffic in the vlan. With that being said. you could assign the AP's to specific vlans, but if you roam from one vlan to another you will have problems at L3. But you can use WDS to make that happen.
    Here are a couple of links tha might help.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00804d4421.shtml
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184ace.html

  • I have multiple SSID, but want users of a single SSID to be redirected to a HTTP or HTTPS URL (LAN SERVER for authentication)

    Hi team,
    I  have multiple SSID, but want users of a single SSID to be redirected to a HTTP or HTTPS URL (LAN SERVER for authentication)
    I am very curious and it is important. I want to see how to achieve this with CISCO WLC !!!

    http://10.229.3.99/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=10.229.3.99/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=www.geo.tv/
    I wanted if someone connects to WLAN "MO-GUEST" automatically the user should be redirected to http://10.229.3.99/login.html and once authenticated by 10.229.3.99 , he/she should be allowed to access anything as normal. [ actually i just want automatic url redirection for the first time for the user of wlan "MO-GUEST"
    waiting expert opinions.

  • Single SSID and ACS

    Hi,
    I would like your help in the following scenario, we currently have a setup of CAS CAM, LDAP, WISM and ACS,
    The main point I'm focusing on is the ACS and WISM.
    Users are to obtain wireless access using a single SSID, and upon validation of credentials, they should gain access to one of 3 vlans, guest, data and voice, the use of separate SSID per vlan was highly discouraged by customer.
    Would appreciate your advice on the best feasible way to implement this.
    Regards,

    Hi,
    You can have single SSID in your setup. You need to set up feature called Dynamic VLAN Assignment.
    Check out this link,
    http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Regards,
    ~JG
    Please rate if that helps !

  • Mixed H-REAP on a single SSID

    Can I have a single SSID assigned to H-REAP sites and to my HQ site? The HQ site would not need H-REAP and runs mainly 1230 APs so it's not even possible.
    --Patrick

    Nope.... Your WLAN SSID's is either locally switched or centrally switched.... unless you have all traffic back to the WLC.

  • WLC 2504 client only connects at 5.5Mbps for Single SSID

    Hi,
    I have a WLC2504 with three SSIDs configured and I have noticed that when my laptop connects to the main one it will only connect at 5.5Mbs. When I connect to the other two I get the full 72Mbps that my wireless card will allow. I have checked the SSID configuration but I cannot see anything that would cause this behaviour. Do you have any ideas/suggestions?
    Thanks.
    Gerry.

    Hi,
    Sometime it also happen due to co-channel interference, try by using setting up any other channel on 1st SSID and then check the connection speed.

  • Single user mode or client install?

    Finally got my mini server ordered again (long story maybe later) I will be using it as my main computer and am wondering what is the easiest set up, boot up in single user mode or install SL client?
    JJ

    Ok So maybe word it a bit different, what is the easiest way to transfer all my stuff from my MBP to have the mini set up exactly as my MBP?
    JJ

Maybe you are looking for

  • Using Flash variable in Javascript problem

    I want Flash to load a rss feed and hand it to Javascript which will do the parsing and rendering. AFAIK Javaswcript can't load external documents and include them into the current html page for some security reasons. So I try this approach. I attach

  • Driver issue in compaq 15 s008tu

    I'v installed win7 professonal 64bit in my compaq 15 s008tu notebook. And downloaded the latest drivers . but when i'm trying to install the drivers... 1st it is showing "extracting "...and then nothings happening... After a few seconds it shows an e

  • [REQUESTS] GOP/UEFI Vbios - MSI R9 290X Gaming 4G

    Model: MSI R9 290X GAMING 4G S/N: 602-V308-01SB1402008189 BIOS Version:  015.042.000.000.000000 Thanks in advance.

  • Multiple PFCG Roles to a user and one business role

    Hello SAP CRM Experts, we are facing a problem then I need your help. The external user can access the CRM through three distinct business roles. However, for each of these business roles, there are specific access rules configured in three different

  • HP Smart Document Scan Software profile buttons grayed out

    We've got four HP 5000 S2 scanners on two different domains. On one (my home office), the profile buttons are active and I can make changes. In our remote office, the buttons are grayed out for the users. If I run as admin or as another user with adm