Hi

clark white · ‎02-17-2017

Dears,

I have configured 8021.X with dynamic vlan assignment for corporate wireless users in ISE 2.0 patch 4, I have 2 separate policy one for machine authentication and another for user authentication. so lets say i have a SSID in WLC named as corporate and a interface assigned to it is vlan 2, whenever a user login into the windows 10 he will get the appropriate vlan (for example: vlan10) according to the group user is in AD becz i have called AD groups in authorization rule,

Question:

how the logs should be seen ISE, i should see the logs twice one for the windows machine assigned a ip address from vlan 2 and when the user login he will be assigned vlan 10 with appropriate ip address. ???

Most of the times the user login instead of vlan 10 ip address he gets an ip address from vlan 2 the default interface on ssid but when i see the windows pc (client) state in the WLC the vlan assigned to is vlan 10.

so i am confused where things are going wrong,

any body can route me to configuration example of wireless 802.1X dynamic vlan assignment.

Francesco Molino · ‎02-17-2017

Hi

To authenticate machine and user you can use MAR or EAP chaining. Take a look on this Cisco Live presentation:

http://d2zmdbbm9feqrf.cloudfront.net/2015/usa/pdf/BRKSEC-3697.pdf

To assign a vlan to user, as I understand you're using central switching deployment, you need to:

Create an virtual interface on your wlc for each vlan
Push the radius attribute Airespace:Airespace-Interface-Name by specifying the exact interface name to your user

If you want keeping using the layer 2 vlan id them you need to use flexconnect deployment.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

802.1X Wireless dynamic vlan assignment