Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


802.1x and wired dynamic vlans on MAC addresses

Hi All,

I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.

I've done some reading but am really struggling to find the information I need.

We have a Windows domain and brand new 3850 Cisco switches.


Can anyone steer me in the right direction (or tell me how to do it!) please?


Thanks for reading.



So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.

In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:

  1. Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
  2. Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. 
  3. Tunnel-Type. Select Virtual LANs (VLAN).

You can find more information here:

Configure a Network Policy for VLANs

VLAN Attributes Used in Network Policy

802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)







Thanks Javier, nice answer.


Will try it out soon, want to use it in our new offices in December and then roll it out across our 9 sites. 





Sounds like a plan my friend.

Glad to help.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube