I have 4 WRT54GS v4's running DD-WRT. They are all using the same SSID and are using RADIUS to authenticate. Everything is on the same subnet and is all working fine. I have recently installed a layer 3 switch and put the Cisco router that is the internet gateway on a different subnet. I have enabled VLAN routing so in effect the L3 switch is the central point of the network. I want to allow visitors and contractors to be able to use the WLAN to access the internet. If I create another VLAN on the L3 switch and attach the 4 WAP's to it, how can I make it so that company employees can be authenticated and allowed access to all subnets, but computers which fail radius authentication are allowed WLAN access but can only access the subnet that has the cisco router attached so they can get internet access. I assume that it will require VLAN trunking but never done anything like this before so not sure. Has anyone got any suggestions please? Obviously if I get this working a donation is due.... Thanks in advance...... ps L3 switch is a netgear if that helps at all. i can post a network diagram if needed to make it easier to visualise.