Fortinet black logo

ExtremeCloud/Aerohive Wireless Integration

Home FortiNAC 9.4.0 ExtremeCloud/Aerohive Wireless Integration
9.4.0
9.4.0
9.2.0
9.1.0

Roaming Between Networks

Roaming Between Networks

If access points are being deployed in an environment where multiple VLANs are desired for different AP groups that all share a single SSID, it is important to decide whether connected hosts should maintain their session and IP address when roaming among APs that use different VLANs. In addition to L2 roaming, ExtremeCloud/Aerohive also supports L3 Roaming. L3 Roaming allows clients to maintain their IP address in such situations by tunneling traffic from a roaming client back to the original network where the client first connected and received its address. Where session continuity is desired in a multi-VLAN environment, L3 roaming can be used. If session continuity can accommodate a quick interruption when roaming between different network boundaries, then L2 roaming is usually sufficient.

In order to configure L3 roaming, contact ExtremeCloud/Aerohive support for assistance. L3 roaming is not explicitly supported by FortiNAC at this time.

To configure L2 roaming in a multi-VLAN environment, do the following:

  1. Create separate hives per network (VLAN). When hosts connect to an AP in a different hive, the AP is forced to re-authenticate the host. The re- authentication process triggers FortiNAC to assign the new network, and the client receives a new IP in the process.

  2. Configure Network Access Policies to assign networks based on the AP to which the host is connecting.

    1. Create port groups that include the SSID models of all the APs that are members of that network.

    2. Create Policies where:

      If User/Host Profile Location = Network A port group, then assign Network A production network.

      If User/Host Profile Location = Network B port group, then assign Network B production network.

Workflow:

  1. Host connects to access point on Network A.

  2. Access point on Network A sends a RADIUS Access Request to FortiNAC.

  3. Network Access Policy for Network A matches.

  4. FortiNAC assigns Network A to session.

  5. Client receives IP from Network A.

  6. Host then roams to an access point on Network B.

  7. Since the access point on Network B is in a different hive, the AP in Network B sends a RADIUS Access Request to FortiNAC.

  8. Network Access Policy for Network B matches.

  9. FortiNAC assigns Network B to session.

  10. Client receives IP from Network B.

Previous
Next

Roaming Between Networks

If access points are being deployed in an environment where multiple VLANs are desired for different AP groups that all share a single SSID, it is important to decide whether connected hosts should maintain their session and IP address when roaming among APs that use different VLANs. In addition to L2 roaming, ExtremeCloud/Aerohive also supports L3 Roaming. L3 Roaming allows clients to maintain their IP address in such situations by tunneling traffic from a roaming client back to the original network where the client first connected and received its address. Where session continuity is desired in a multi-VLAN environment, L3 roaming can be used. If session continuity can accommodate a quick interruption when roaming between different network boundaries, then L2 roaming is usually sufficient.

In order to configure L3 roaming, contact ExtremeCloud/Aerohive support for assistance. L3 roaming is not explicitly supported by FortiNAC at this time.

To configure L2 roaming in a multi-VLAN environment, do the following:

  1. Create separate hives per network (VLAN). When hosts connect to an AP in a different hive, the AP is forced to re-authenticate the host. The re- authentication process triggers FortiNAC to assign the new network, and the client receives a new IP in the process.

  2. Configure Network Access Policies to assign networks based on the AP to which the host is connecting.

    1. Create port groups that include the SSID models of all the APs that are members of that network.

    2. Create Policies where:

      If User/Host Profile Location = Network A port group, then assign Network A production network.

      If User/Host Profile Location = Network B port group, then assign Network B production network.

Workflow:

  1. Host connects to access point on Network A.

  2. Access point on Network A sends a RADIUS Access Request to FortiNAC.

  3. Network Access Policy for Network A matches.

  4. FortiNAC assigns Network A to session.

  5. Client receives IP from Network A.

  6. Host then roams to an access point on Network B.

  7. Since the access point on Network B is in a different hive, the AP in Network B sends a RADIUS Access Request to FortiNAC.

  8. Network Access Policy for Network B matches.

  9. FortiNAC assigns Network B to session.

  10. Client receives IP from Network B.

Previous
Next