06-20-2018 12:30 AM - edited 02-21-2020 10:58 AM
Hi
We have a WiSM2 (ver 8.2.167.6) providing an 802.1x wireless profile to staff and students. RADIUS is in the form of ISE (ver 2.3.0.298) that uses MS Active Directory as the database. Depending on which AD group a client belongs to will determine which VLAN Tag ISE sends to the WLC, and therefore which VLAN the wireless users is assiged to. This setup works fine.
Problem I have is that on a particular busy day (hosting a staff conference) we ran out of IP addresses on the Staff VLAN so new users could authenticate to ISE but were unable to get on the network.
The simplest workaround is just to increase the size of the DHCP scope, however I am reluctant to create a very large subnet. The only other way I can thing of is to create new AD groups, splitting staff into the groups and getting ISE to use different VLAN tags for each AD group. However we have a lot of staff and the administrative overhead for this approach will not be welcomed by the Server team.
Is there any other way I can split staff onto more than one VLAN using the ISE?
06-21-2018 07:32 AM
Use interface groups at the WiSM, then use the Airespace-Interface-Name attribute to tell the WLC which interface-group name to use, rather than the VLAN.
Using interface-groups, the WLC will choose which VLAN to put the client on based on which interfaces are in the interface-group. You could have up-to 64 interfaces in an interface-group at the WiSM2, so if you don't like large subnets you could create up-to 64 /24 subnets (they can be bigger or smaller though) and add them to one interface-group, then attach that to the WLAN.
06-28-2018 12:46 AM
Hi
Sorry for the delayed response, been on holiday. Yes this has proved to be the solution, so thank you for taking the tine to respond.
Regards
Terry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide