Scenario
I have an environment with several hundred wireless devices. I am trying to break down a fairly large network into several VLANs. There are wireless devices in carts (groups of 30) that I would like to have in their own private VLANs. It seems that MAC-based assignment would be the logical approach.
Question
How can I accomplish MAC-based VLAN assignment for wireless devices?
Information
-
I have some experience with VLANs and subnetting, but I'm not as familiar with RADIUS, GVRP, or similar technologies.
-
We are a Meraki shop for AP's
-
We run HP 2510 switches
Research
Meraki Documentation (including some RADIUS stuff)
Meraki VLAN Tagging Documentation
From the latter link (specifically regarding user-based assignment) I found this information which may be helpful, but I do need MAC-based assignment and not user-based.
The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
Other Information
If any important details were left out, please comment and let me know. I'll add any information needed promptly. Thank you!
Best Answer
Answer
I wound up realizing that MAC-based VLANs isn't really what I wanted, and that Group-based VLANs are actually much more flexible. From here on out, the information will regard to accomplishing VLAN assignment based on group membership.
Bench Test
I followed this really great guide published by Meraki. It is 99% generic so if you're not a Meraki shop don't worry. There were just 2-3 settings to change in the Meraki and you can probably translate that into your system easily enough.
Result
Following the guide and then expanding a little, I wound up with three network policies. There is a VLAN 400 Policy which injects the VLANID 400 into the RADIUS-ACCEPT packet, and there's a VLAN 500 Policy which works the same way. There is also a required default policy of sorts (explained in the guide). Each of these policies has a "Conditions" list, and that is where you assign that policy to a group. Just stick your computers in that group and they'll be good to go.
Now when I connect these two laptops to the network, one lands on the 400 VLAN and gets a 4.x address, and the other lands on the 500 VLAN and gets a 5.x address. These assignments can be changed as easily as group membership.
I believe this will be a pretty robust solution for us moving forward. Note to the reader, this is a complex solution so while the manageability is nice, be sure it's something you'll need and use before introducing several new layers of complexity into your environment.