Hello
I have an SSID configured with EAP and the RADIUS server dictates which VLAN each client goes. In the datapath (traffic-processing=on-cap), by default, I assign VLAN 3 (in case the RADIUS server doesn't set the VLAN in it's response packet, it always act as a fallback). That's also the VLAN I want to isolate clients.
As far as I know, client isolation isolates all clients connected to the same radio interface (not wanted, since I want clients connected in VLAN 2, for example, to see each other), so I think I need to use bridge horizons instead.
Now here's the question: How I can ensure that the horizon is applied to all VLAN3 clients, regardless if they have been assigned by RADIUS or default? Is there any way to do it under CAPsMAN?
My logic tells me that, the way I can accomplish this is by creating a VLAN interface in each AP, assign it as a port to the bridge where the wifi ports are also assigned and set the horizon there, but I was wondering how other people solved this same issue (in case it was attempted before) and if there's a better way fully through CAPsMAN instead of per-device.
Thank you very much in advance.