Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

295

Configuring Multiple SSIDs

Chapter 8

WLANs need to be protected from security threats such as viruses, worms, and
spyware. Both the NAC Appliance and the NAC Framework provide security
threat protection for WLANs by enforcing device security policy compliance
when WLAN clients attempt to access the network. These solutions quarantine
non-compliant WLAN clients and provide remediation services to verify
compliance.

A client, based on its health (software version, virus version, and so on) is placed
on a separate VLAN that is specified to download the required software to
upgrade the client to the software versions required to access the network. Four
VLANs are specified for NAC support, one is the normal VLAN where clients
having the correct software version are placed.

The other VLANs are reserved for specific quarantine action and all infected
clients are placed on one of these VLANs until the client is upgraded.

Each SSID can have up to three additional VLANs configured as “unhealthy”
VLANs. Infected clients are placed on one of these VLANs based on how the
client is infected. When a client sends an association request, it includes its
infected status in the request to the RADIUS server. The policy to place the
client on a specific VLAN is provisioned on the RADIUS server.

When an infected client associates with an access point and sends its state to the
RADIUS server, the RADIUS server puts it into one of the quarantine VLANs
based on its health. This VLAN is sent in the RADIUS server Access Accept
response during the

dot1x

client authentication process. If the client is healthy

and NAC compliant, the RADIUS server returns a normal VLAN assignment
for the SSID and the client is placed in the correct VLAN and BSSID.

Each SSID is assigned a normal VLAN, that is the VLAN where healthy clients
are placed. You can configure the SSID to have up to three back-up VLANs that
correspond to the quarantine VLANs. These clients are placed based on their
state of health. These VLANs for the SSID use the same BSSID as assigned by
the MBSSID for the SSID.

The configured VLANs are different and you can not overlap within an SSID.
Therefore, you can specify a VLAN once and can not be part of two different
SSIDs per interface.

Quarantine VLANs are automatically configured under the interface where the
normal VLAN is configured. A quarantine VLAN inherits the same encryption
properties as that of the normal VLAN. VLANs have the same key/
authentication type and the keys for the quarantine VLANs are derived
automatically.

Dot11 sub-interfaces are generated and configured automatically along with the

dot1q

encapsulation VLAN (equal to the number of configured VLANs). The

sub-interfaces on the wired side is also configured automatically along with the
bridge-group configurations under the FastEthernet0 sub-interface.