Hi @Arne Bier , thanks for the feedback.

What in particular should I use for the authorization policy in ISE for me to have if user is connecting to this particular "AP-Group", then push the VLAN?

Thanks

I am not sure if you are just giving an example or really trying to have AP groups per floor on different VLANs.  I think that will be disastrous as you can't control client roaming that precisely.  It is completely possible on client on floor 3 will roam from a floor AP to a floor 2 AP back to a floor 3 AP as they walk around floor 3.  If you move the client onto a different VLAN when it hit an AP on floor 2 the client will most likely be stuck because it will have an IP from floor 3 and not know to refresh.

@paul , based on my understanding in your statement, it is much better to have the wireless in 1 VLAN?

I am just cautioning that you have to think of client roaming and not necessarily always roaming to an AP on the same floor.

hi @paul , actually there is a real life scenario there that i need to take into consideration.

so every time a client goes to different floor and have a different ap-group, ISE needs to send out CoA to grab a new IP in that ap-group.

You are talking about client physically walking from floor 1 to floor 2, but I am saying that is not how wireless works. Client could be walking on floor 2 and be roaming between APs on floor 1 and floor 2.  If those are mapped to different VLANs you are going to most likely disrupt the client's communication.  The client will not know to refresh their IP because there is no network adapter event.  The client is simply roaming on the same SSID.

I would test it in the lab before trying anything like this in productions.  Setup two APs each with different VLAN assignment and roam between the two and watch your client get stranded when it roams from one to the other.  I could be wrong, but I pretty sure you will see a disruption.

Hi Arne,

How is this configured on the WLAN and ISE? Is there documentation/examples available that you know of?

Thanks

Hi @gschmitt.ngit 

You're asking about the dynamic VLAN override on a Cisco WLC? The concept is that you return a VLAN name (string) instead of the VLAN number (numeric). On the WLC you always give an Interface a name. That WLC Interface Name string would be a valid string that ISE can return to the WLC during a RADIUS authentication. If your WLC is using Interface Groups, then put all your interfaces that you want/need into that Group, and tell ISE to return the Interface Group name string to the WLC during RADIUS auth.

below is an example from an AirOS WLC which has an Interface Group with a very creative name of "test".  That Group contains one VLAN at the moment - vlan 390, whose Interface is called 'dmz'.

In ISE I would return an Authorization profile that looks like this

You have to ensure that the WLC WLAN is configured to allow AAA Override.