topic Re: EAP type-based dynamic VLAN assignment for wireless client in Wireless

EAP type-based dynamic VLAN assignment for wireless client

Roman Yu — Fri, 20 Dec 2024 19:09:11 GMT

Hello everyone. I want to place a wireless user in one VLAN or another, depending on the type of authentication, EAP-TLS or PEAP. How do I do this in the wireless part of the network?

Re: EAP type-based dynamic VLAN assignment for wireless client

Flavio Miranda — Fri, 20 Dec 2024 19:27:31 GMT

@Roman Yu

On the WLC the only configurarion required is "AAA overide" on the WLAN. And create the appropriate vlans. All the rest is Radius job.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

Re: EAP type-based dynamic VLAN assignment for wireless client

MHM Cisco World — Fri, 20 Dec 2024 19:51:44 GMT

You use ISE?

MHM

Re: EAP type-based dynamic VLAN assignment for wireless client

Roman Yu — Fri, 20 Dec 2024 21:04:38 GMT

Thank you Flavio!

But what interface or group of interfaces should I assign to this WLAN?

And why should we assign a specific VLAN?

Re: EAP type-based dynamic VLAN assignment for wireless client

Roman Yu — Fri, 20 Dec 2024 21:05:39 GMT

Yes, we do.

Re: EAP type-based dynamic VLAN assignment for wireless client

Flavio Miranda — Fri, 20 Dec 2024 21:21:26 GMT

The WLC needs to know which vlan it will put the client.

"Step 2. Configure the VLANs

This procedure explains how to configure VLANs on the Catalyst 9800 WLC. As explained earlier in this document, the VLAN ID specified under the Tunnel-Private-Group ID attribute of the RADIUS server must also exist in the WLC.

In the example, the user smith-102 is specified with the Tunnel-Private-Group ID of 102 (VLAN =102) on the RADIUS server."

Re: EAP type-based dynamic VLAN assignment for wireless client

MHM Cisco World — Fri, 20 Dec 2024 21:23:14 GMT

Then add two policy set one for eap-tls and other for peap.

In these policy set use allow protocol to set eap-tls or peap.

In authc and authz condition use match eap-tls or peap.

In authz use authz policy accept set attribute vlan value.

this example below how you can use PEAP as condition in authc and authz

https://sendthepayload.com/configuring-an-802-1x-wired-policy-using-peap-mschapv2-wo-mar/

MHM

Re: EAP type-based dynamic VLAN assignment for wireless client

Roman Yu — Sat, 21 Dec 2024 16:01:00 GMT

Colleagues, you were right. I've created profiles, policies, and etc. Assigned an interface group to the test WLAN. Everything works! It distributes clients to the required VLANs depending on EAP-TLS or PEAP. I like it!

Re: EAP type-based dynamic VLAN assignment for wireless client

MHM Cisco World — Sat, 21 Dec 2024 16:06:41 GMT

Did you match condition as I suggest?

MHM

Re: EAP type-based dynamic VLAN assignment for wireless client

Roman Yu — Sat, 21 Dec 2024 16:20:04 GMT

On the test laptop, I found that it had fallen off the Active Directory domain and cannot pass machine authentication. But if I disable the machine's domain membership in the Authorization Policy, then this problematic laptop successfully connects to the network. I thought that EAP-TLS requires checking the machine first, then the user, and there is no way to change this protocol behavior.

Re: EAP type-based dynamic VLAN assignment for wireless client

Roman Yu — Sat, 21 Dec 2024 16:20:40 GMT

Yes, exactly.

Re: EAP type-based dynamic VLAN assignment for wireless client

JPavonM — Mon, 23 Dec 2024 10:56:46 GMT

EAP-TLS authenticates whatever you setup oin the wireless profile.

For Windows, by default, it is machine authentication only, but if you change it to User OR Machine it will do Machine cert first on the login screen, and then it will re-authenitcate using the User cert after successful log in.