topic I went with using FlexConnect in Wireless

Dynamic VLAN Assignment with ap groups

Heinz Kern — Mon, 05 Jul 2021 11:48:16 GMT

Hello,

due to some circumstances i have to provide dynamic vlan assignment for one SSID. there are different user groups within this ssid and one particular group (users are part of a special windows domain) must be moved to special vlans. furthermore i want to keep the broadcast domains small (we are talking of 2000 people in a building with 8 floors). and last fact is that i use ap-groups because i have to provide several ssids in different areas. up to now (without dynamic assignment) i simply moved the ssid within each ap-group to a different vlan.

moreover i only get one attribute from the radius server for all users that have to use dynamic vlan assignemnt. so at the end: the radius server provides one attribute and this must be mapped on the controller to different vlans.

is there any "best" feature i can use for that.

i found these options:

use one VLAN for the whole ssid (no good design)
use an interface group which includes all possible interfaces and within all ap-groups i use this interface group as dedicated vlan.the name of the interface group is the one that i get from the radius server (disadvantage: it is not deterministic. that means today i have a subnet which is only used in the 1st floor, another one for 2nd floor etc. with an interface group i lose this clear dedication).

is there any other, better possibility?

br + thx

If your Radius server allows

B.Smeets — Mon, 21 Mar 2016 13:03:47 GMT

If your Radius server allows it, you could make an algorithm on it that issues a vlan number based on userid. We convert all characters in the userid to numbers and boil this down to a vlan number, so every user will always get the same vlan, regardless of the SSID or AP Group.

thanks for your answer.

Heinz Kern — Tue, 22 Mar 2016 08:20:30 GMT

thanks for your answer.

in our situation it doesn´t help us if one client always gets the same vlan, doesn´t matter where he is. every client within a special area (per floor) should get the same vlan. in another floor he should get a different one.

i know: in theory we could build up a database onm the radius server and dependent on the location the vlan is sent back. but this is a very complex solution i want to prevent. it is only "allowed" to solve the problem on WLC GUI/CLI 😉

nevertheless this is an interesting solution, maybe useful for other approaches. which radius server are you using?

We use Radiator. The

B.Smeets — Tue, 22 Mar 2016 08:42:49 GMT

We use Radiator. The algorithm I mentioned is written in Perl.

You could write a similar algorithm to issue vlan numbers based on the access point's MAC address instead of the userid. The wireless controllers report this MAC to the Radius server in authentication requests.

we use the same radius-server

Heinz Kern — Tue, 22 Mar 2016 08:47:52 GMT

we use the same radius-server.

as mentioned: this is too complex for us (due to lack of ressources). but i keep it in mind.

I went with using FlexConnect

jkalen83a — Wed, 30 Mar 2016 13:37:05 GMT

I went with using FlexConnect and aaa-override. Then our radius-server (NPS on Win2012r2) sends back the VLAN depending on which Active Directory group the user is located in. Works like a charm!

Example:

VLAN100 - Regular clients

VLAN200 - Special clients

SSID - CompanyX

Alice is a regular client and Bob is a special client.

Alice walks into the office and connects to SSID CompanyX, the radius-server checks the active directory and sees that Alice is a regular client due to the AD-group she belongs to and sends back vlan100 as a response and Alice gets to join vlan100. Later Bob walks into the office and also connects to SSID CompanyX, the radius-server sees that Bob is in the special AD-group and sends back vlan200. Bob gets put on vlan200.