https://community.cisco.com/t5/network-access-control/ise-and-vlan-assignment/m-p/3402425#M548280 <P>Hi</P> <P>We have a WiSM2 (ver 8.2.167.6) providing an 802.1x wireless profile to staff and students.&nbsp; RADIUS is in the form of ISE (ver 2.3.0.298) that uses MS Active Directory as the database.&nbsp; Depending on which AD group a client belongs to will determine which VLAN Tag ISE sends to the WLC, and therefore which VLAN the wireless users is assiged to.&nbsp; This setup works fine.</P> <P>&nbsp;</P> <P>Problem I have is that on a particular busy day (hosting a staff conference) we ran out of IP addresses on the Staff VLAN so new users could authenticate to ISE but were unable to get on the network.&nbsp;</P> <P>&nbsp;</P> <P>The simplest workaround is just to increase the size of the DHCP scope, however I am reluctant to create a very large subnet.&nbsp; The only other way I can thing of is to create new AD groups, splitting staff into the groups and getting ISE to use different VLAN tags for each AD group.&nbsp; However we have a lot of staff and the administrative overhead for this approach will not be welcomed by the Server team.</P> <P>&nbsp;</P> <P>Is there any other way I can split staff onto more than one VLAN using the ISE?</P> Fri, 21 Feb 2020 18:58:57 GMT terrywatson651 2020-02-21T18:58:57Z https://community.cisco.com/t5/network-access-control/ise-and-vlan-assignment/m-p/3402425#M548280 <P>Hi</P> <P>We have a WiSM2 (ver 8.2.167.6) providing an 802.1x wireless profile to staff and students.&nbsp; RADIUS is in the form of ISE (ver 2.3.0.298) that uses MS Active Directory as the database.&nbsp; Depending on which AD group a client belongs to will determine which VLAN Tag ISE sends to the WLC, and therefore which VLAN the wireless users is assiged to.&nbsp; This setup works fine.</P> <P>&nbsp;</P> <P>Problem I have is that on a particular busy day (hosting a staff conference) we ran out of IP addresses on the Staff VLAN so new users could authenticate to ISE but were unable to get on the network.&nbsp;</P> <P>&nbsp;</P> <P>The simplest workaround is just to increase the size of the DHCP scope, however I am reluctant to create a very large subnet.&nbsp; The only other way I can thing of is to create new AD groups, splitting staff into the groups and getting ISE to use different VLAN tags for each AD group.&nbsp; However we have a lot of staff and the administrative overhead for this approach will not be welcomed by the Server team.</P> <P>&nbsp;</P> <P>Is there any other way I can split staff onto more than one VLAN using the ISE?</P> Fri, 21 Feb 2020 18:58:57 GMT https://community.cisco.com/t5/network-access-control/ise-and-vlan-assignment/m-p/3402425#M548280 terrywatson651 2020-02-21T18:58:57Z https://community.cisco.com/t5/network-access-control/ise-and-vlan-assignment/m-p/3403377#M548281 <P>Use interface groups at the WiSM, then use the Airespace-Interface-Name attribute to tell the WLC which interface-group name to use, rather than the VLAN.</P> <P>&nbsp;</P> <P>Using interface-groups, the WLC will choose which VLAN to put the client on based on which interfaces are in the interface-group.&nbsp; You could have up-to 64 interfaces in an interface-group at the WiSM2, so if you don't like large subnets you could create up-to 64 /24 subnets (they can be bigger or smaller though) and add them to one interface-group, then attach that to the WLAN.</P> Thu, 21 Jun 2018 14:32:49 GMT https://community.cisco.com/t5/network-access-control/ise-and-vlan-assignment/m-p/3403377#M548281 craig.beck 2018-06-21T14:32:49Z https://community.cisco.com/t5/network-access-control/ise-and-vlan-assignment/m-p/3407045#M548282 <P>Hi</P> <P>Sorry for the delayed response, been on holiday.&nbsp; Yes this has proved to be the solution, so thank you for taking the tine to respond.</P> <P>Regards</P> <P>&nbsp;</P> <P>Terry</P> Thu, 28 Jun 2018 07:46:41 GMT https://community.cisco.com/t5/network-access-control/ise-and-vlan-assignment/m-p/3407045#M548282 terrywatson651 2018-06-28T07:46:41Z