Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
3
Helpful
3
Replies

Just looking for good documentation to learn about VLAN Assignment.

Go to solution
jmilay
Level 1
Level 1

‎04-18-2018 11:17 AM

Can someone lead me to good articles in relation to understanding/configuring VLAN assignment?  i.e. one SSID assigning vlan based on AD group and/or network location?

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-18-2018 12:52 PM

Not sure if you will find specific documentation on this, but the only thing you need to add to your authorization profiles is a VLAN assignment.  Then the rest is just crafting your authorization rules to apply the correct authorization profile that has the VLAN you want assigned.

If you are doing centralized wireless, i.e. not FlexConnect, as long as the WLC has an interface on the VLAN assigned from ISE the user will get moved to that VLAN. 

In FlexConnect it gets a bit tricker.  If the VLAN is in use by another SSID then there is no problem assigning the VLAN to a FlexConnect client.  If the VLAN isn't used by any WLAN then you first have to "push" the VLAN information out the the FlexConnect AP.  The way I have done that in the past is using the AAA VLAN-ACL mapping tab in your FlexConnect group.  Add whatever VLANs you need there and assign "none" as the ingress and egress ACL.  That will make the AP aware of the VLAN and allow the VLAN assignment in ISE to work.

View solution in original post

3 Replies 3

Go to solution
paul
Level 10
Level 10

‎04-18-2018 12:52 PM

Not sure if you will find specific documentation on this, but the only thing you need to add to your authorization profiles is a VLAN assignment.  Then the rest is just crafting your authorization rules to apply the correct authorization profile that has the VLAN you want assigned.

If you are doing centralized wireless, i.e. not FlexConnect, as long as the WLC has an interface on the VLAN assigned from ISE the user will get moved to that VLAN. 

In FlexConnect it gets a bit tricker.  If the VLAN is in use by another SSID then there is no problem assigning the VLAN to a FlexConnect client.  If the VLAN isn't used by any WLAN then you first have to "push" the VLAN information out the the FlexConnect AP.  The way I have done that in the past is using the AAA VLAN-ACL mapping tab in your FlexConnect group.  Add whatever VLANs you need there and assign "none" as the ingress and egress ACL.  That will make the AP aware of the VLAN and allow the VLAN assignment in ISE to work.

Go to solution
jmilay
Level 1
Level 1
In response to paul

‎04-19-2018 06:10 AM

Thank you for the information.  This will definitely get me headed in the right direction.

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎04-19-2018 04:32 AM

ISE Config guide should help you with how to create authorization profile with VLAN based assignment

Customers Also Viewed These Support Documents