Search
Search

Hotspot authentication for multiple subnet with different VLANs

User Application Requirement
Updated 12-22-2015 09:07:02 AM 54635
Acest ghid este valabil pentru: 

1. Brief Introduction

In today’s enterprise network environment it is very common that network administrator assign different IP subnet for different VLANs and apply different ACL/firewall settings for security concerns. Therefor it is necessary to make different SSIDs belong to different VLANs to comply with the ACL/firewall settings on your Wi-Fi devices. 

You can enable easy authentication with printed vouchers on your Wi-Fi hotspot for clients. But when the computer installed the controller is in a different VLAN and you want to forbid your clients from accessing the controller, here we will give you some instructions on how to achieve this on TP-Link products.

The goals we will achieve in this article are listed as below:

  1. Setup Multi-SSIDs on your EAP device and each SSID has its own VLAN ID and subnet.
  2. The clients connected to the SSIDs can surf the Internet after Hotspot Authentication.
  3. The clients cannot communicate with each other.
  4. Wireless clients can only access the controller via port 8088 for passing through “hotspot authentication”.

2. Topology, IP assignment and port definitions

1) The TL-ER6120 acts as the Internet gateway router and T3700G-28TQ acts as the L3 switch. The below picture depicts the topology:

2) Network address, VLAN and SSID assignment:

 

3) Port assignment on the switch.

3. Configuration on the gateway router

Step 1

Add Multi-nets NAT entries for 172.16.10.0/24 and 172.16.20.0/24 respectively. Without this setting the router will not NAT for these two subnets.

Step 2

Add Static Route entry for 172.16.10.0/24 and 172.16.20.0/24. The next hop for the two subnets should be VLAN 1’s IP on the switch T3700G-28TQ. Static route can let gateway router TL-ER6120 know where to deliver the packets if the destination network is 172.16.10.0/24 or 172.16.20.0/24.

You can refer to FAQ 887 for more detailed configuration of TL-ER6120.

4. Configuration on T3700G-28TQ

Step 1

Change the interface IP for VLAN 1 as 192.168.0.11.

Step 2

Create VLAN 2 and VLAN 3 on the switch. Set port 5 as Tunk port and assign it to both VLAN 2 and VLAN 3.

Step 3

Set the interface IP for VLAN 2 and VLAN 3 respectively. 172.16.10.1/24 is the IP for VLAN 2 and is the gateway for 172.16.10.0/24. 172.16.20.1/24 is the IP for VLAN 3 and is the gateway for 172.16.20.0/24.

Step 4

Add the default route entry so that all the device can use TL-ER6120 as the Internet gateway.

Step 5

Configure “DHCP Server” for VLAN 2 and VLAN 3. The default gateway for VLAN 2 is 172.16.10.1 and for VLAN 3 is 172.16.20.1. The DNS server for both VLAN 2 and VLAN 3 are 192.168.0.1.

Step 6

Configure “Extend-IP ACL” so that clients in different VLAN can’t communicate with each other and can’t get access to the Controller either. But it requires that all of the clients are able to surf the Internet.

The explanation of the 11 rules are as below:

Rule 1: permit devices in VLAN 2 can get access to Controller port 8088 and pass through “hotspot authentication”.

Rule 2: permit Controller transmit data back to device in VLAN 2 through port 8088.

Rule 3: permit device in VLAN 2 can get access internet through gateway router by port 53.

Rule 4: permit gateway router transmit data back to device in VLAN 2.

Rule 5-8 are almost same as rule 1-4, the different is that rule 5-8 are for VLAN 3 while rule 1-4 are for VLAN 2.

Rule 9: deny device in VLAN 2 get access to 192.168.0.0/24 subnet except the permission in rule 1-4.

Rule 10: deny device in VLAN 3 get access to 192.168.0.0/24 subnet except the permission in rule 5-8.

Rule 11: deny device in VLAN 2 communicate with device in VLAN 3.

Note: 

  1. Refer to FAQ 402 for detailed configuration of “Extend-IP ACL”.
  2. Don’t forget to save the configuration.

5. Configuration on the EAP Controller

Step 1

Create two SSIDs in VLAN 2 and VLAN 3 separately. All need to enable “SSID Isolation” function. The “SSID Isolation” function could forbid the clients connected the same SSID from communicating with each other.

Step 2

Choose Hotspot as your authentication type. You will be able to generate a bunch of random voucher codes beforehand. There is a unique code for each user to pass authentication. This function requires your Controller to stay running all the time.

Step 3

Enable the “protal” function to make the Hotspot authentication take effect.

Refer to FAQ915 for detailed configuration of Hotspot Authentication.

6. Conclusion

With the topology and all the settings above, the clients connected to different SSID can surf the Internet after pass Hotspot Authentication, but can’t communicate with each other and can’t get access to the Controller either.

A fost util acest FAQ?

Părerea ta ne ajută să îmbunătățim acest site.

Recommend Products

Abonează-teTP-Link vă protejează intimitatea. Pentru mai multe detalii privind practicile de confidențialitate ale TP-Link, consultați Politica de confidențialitate TP-Link .

Urmărește-ne

Despre TP-Link
Presă
Comenzi
Centrul de Training
Promoții
România / Română
Copyright © 2022 TP-Link Corporation Limited. Toate drepturile sunt rezervate.

From United States?

Get products, events and services for your region.

Apasă Other Option

Acest site web folosește cookie-uri pentru a îmbunătăți experiența navigării web, a analiza activitățile online și a oferi utilizatorilor cea mai bună experiență pe site-ul nostru. Te poți opune utilizării cookie-urilor în orice moment. Poți afla mai multe informații în politica de confidențialitate .

Setări cookie Acceptă toate cookie-urile

Acest site web folosește cookie-uri pentru a îmbunătăți experiența navigării web, a analiza activitățile online și a oferi utilizatorilor cea mai bună experiență pe site-ul nostru. Te poți opune utilizării cookie-urilor în orice moment. Poți afla mai multe informații în politica de confidențialitate .

Cookie-uri de bază

Aceste cookie-uri sunt necesare pentru funcționarea site-ului web și nu pot fi dezactivate în sistemele tale

TP-Link

accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-right-bottom

Chat live

__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID

Youtube

VISITOR_INFO1_LIVE, YSC, LOGIN_INFO, PREF, CONSENT, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC

Cookie-uri de analiză și marketing

Cookie-urile de analiză ne permit să analizăm activitățile tale de pe site-ul nostru web a îmbunătăți și ajusta funcționalitatea site-ului.

Cookie-urile de marketing pot fi setate prin intermediul site-ului nostru web de către partenerii noștri publicitari pentru a crea un profilul intereselor tale și a-ți afișeze reclame relevante pe alte site-uri web.

Google Analytics, Google Tag Manager și Google Optimize

_gid, _gat, _gat_global, _ga, _gaexp

Google Ads și DoubleClick

NID, IDE, test_cookie, id, 1P_JAR

Facebook

fr, spin, xs, datr, c_user, sb, _fbp

Crazy Egg

_ce.s, _CEFT, _gid, cean, _fbp, ceac, _drip_client_9574608, cean_asoc

Hotjar

_hjKB, _fbp, ajs_user_id, _BEAMER_LAST_UPDATE_zeKLgqli17986, _hjid, _gcl_au, _ga, ajs_anonymous_id, _BEAMER_USER_ID_zeKLgqli17986, _hjAbsoluteSessionInProgress, _hjFirstSeen, _hjIncludedInPageviewSample, _hjTLDTest

Linkedin

lms_analytics, AnalyticsSyncHistory, _gcl_au, liap

TikTok

_ttp