We want to migrate from an existing WLAN solution to one managed by our UTM9.4. We are happy with the migration o fthe "Guest" network (web-based / ticket authentication), but struggle with the privileged WLAN for internal users.
Old situation: Default net is VLAN 10, APs are in VLAN 79 ("switchport access vlan 79" in our Cisco switches), A Cisco WLC acts as radius and checks against AD, authenticated users end up in VLAN 71 and obtain their IP from a DHCP server (sitting in VLAN 10, but routable into VLAN 71).
For the migration, we simplified the setup, namely we simply put out new APs into VLAN 10 so that they are visible to the UTM (which is only in VLAN 10).
We get as far as RADIUS authentication, but apparently do not end up in VLAN 71 the way we wish (clients get a 169.*.*.* ip, apparently because they do not see the DHCP). We tried to work with "switchport trunk allowed vlan 10,70,71,79" and "switchport mode trunk" for the switch port of the AP, and set the AP to VLAN 10, and the WLAN to VLAN 71 in UTM. But it seems that does not work. These attempts are based on the assumption that the clients are visible with their VLAN 71 at the switch port of the AP.
Could it be that these assumptions are wrong and that I must have the UTM in both VLAN 10 and 71 (on a trunk port) for this setup to work?
EDIT: Meanwhile I changed the eth0 interface to a VLAN interface (in VLAN 10), added a VLAN 71 interface to eth0, and changed its switch port to trunk. This does not help with the WLAN clients, however. They still do not get a DHCP address. Instead, I observed another strange problem: The UTM does get an IP from the existing DHCP server on VLAN71. But it does so incorrectly: The DHCP server hands out leases with a /24 netmask, but UTM sets the interface to a /23 netmask. (I suspect that this is because the "main" interface has a static /23 address in VLAN 10, but the totally different interface on a totally different LAN should have its own netmask, shouldn't it?)
This thread was automatically locked due to age.
