Solved: Configure Dynamic VLAN Assignment with ISE and embedded WLC

Mohamed BH · ‎10-26-2022

We have an SDA environment with an embedded Cisco WLC we are trying to configure dynamic vlan assignement using the ISE for wireless users : 1 SSID with Dot1x access and the VLAN assignement using the ISE. Is it possible to do that.

@DNAC @EmbeddedWLC @ISE

Mohamed BH · ‎10-27-2022

Thanks for your reply,

I solved that,

the issue was with the Authz profile on the ISE i was using the VLAN tag with its number rather than its Name after a debug on the WLC i realised that the L2 VNID on the WLC accept only the VLAN name.

Thanks a lot for your time PabMar.

Regards,

MohamedBH

View solution in original post

Dan Rowe · ‎10-26-2022

Yes, this is possible and is one of the main use-cases for fabric enabled wireless. Using Radius COA through ISE, we can dynamically assign VLAN and SGT to client based on what authorization profile they hit from the appropriate ISE policy sets.

https://community.cisco.com/t5/networking-knowledge-base/cisco-ise-configuration-for-onboarding-hosts-in-cisco-sd-access/ta-p/4106696

Mohamed BH · ‎10-26-2022

Hi Dan Rowe,

Thanks a lot for your reply,

is it possible to show me steps to configure dynamic vlan assignement ?

i already did these configuration and i don't know why it didn't work :

On the DNAC : 1 SSID with Dot1x + assigned to VLAN + SGT

On the ISE : Authentication + authorization rule (AD group + AuthZ profile containing a VLAN that is not the same as the configured SSID + SGT)

=> The Client connect and did pass Authc + AuthZ and the ISE did push the new VLAN + new SGT (on the WLC view Clients log) but the client can't have an IP address

=> testing with no dynamic VLAN worked for me (when configuring same VLAN + SGT as the SSID)

Regards,

PabMar · ‎10-26-2022

Hi Mohamed,

This recorded video may help you with that: https://youtu.be/jpXgCy14dZ8

Goes over wireless fabric and a sample of how a corporate client can connect via 802.1X to the corp SSID.

Regards,

Pablo.

Mohamed BH · ‎10-26-2022

Hi PabMar,

Thanks for your reply,

I already did that, it worked for me in that scenario, but i just need to make it dynamic, i did configure 1 Fabric SSID with a VLAN and an SGT (just to make it the first path for the user accessing the network than after authentication it will have the corresponding vlan + sgt) and i configured policies on ISE to respond with different VLANs + SGTs for the different types of users but it didn't work => the VLAN and the SGT is pushed to WLC when client connect but with no ip address assignement.

PabMar · ‎10-27-2022

Hi Mohamed,

Not sure if I understood that right however, it is not recommended to assign a different Vlan with a different subnet after AuthC as the endpoint is unlikely to automatically refresh its IP address and get a new assignment from the new subnet.

If you have to do so, then consider to have either a very short DHCP lease/refresh interval or the same IP subnet in pre-auth and post-auth VLANs.

Let me know if that helps.

Regards,

Pablo.

Mohamed BH · ‎10-27-2022

Hi PabMar,

Our Customer want to have a single SSID for all different employees (Finance, RH, admins) and a single Guest SSID, on the wired it is simple to have that with the Dot1x unlike the wireless.

PabMar · ‎10-27-2022

That should be fine. On SD-Access you would want the same on the wired side as for the wireless.

How many clients are expected in that SSID in that particular site?

That seems like a micro-segmentation use case, where you place them all in a single VN (say Corp_VN) and use SGT tags to apply the necessary policies between groups - it's the same for wired.

Regards,

Pablo.

Mohamed BH · ‎10-27-2022

Thanks for your reply,

I solved that,

the issue was with the Authz profile on the ISE i was using the VLAN tag with its number rather than its Name after a debug on the WLC i realised that the L2 VNID on the WLC accept only the VLAN name.

Thanks a lot for your time PabMar.

Regards,

MohamedBH