Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
5
Helpful
2
Replies

ISE and VLAN Assignment

terrywatson651
Level 1
Level 1

‎06-20-2018 12:30 AM - edited ‎02-21-2020 10:58 AM

Hi

We have a WiSM2 (ver 8.2.167.6) providing an 802.1x wireless profile to staff and students.  RADIUS is in the form of ISE (ver 2.3.0.298) that uses MS Active Directory as the database.  Depending on which AD group a client belongs to will determine which VLAN Tag ISE sends to the WLC, and therefore which VLAN the wireless users is assiged to.  This setup works fine.

 

Problem I have is that on a particular busy day (hosting a staff conference) we ran out of IP addresses on the Staff VLAN so new users could authenticate to ISE but were unable to get on the network. 

 

The simplest workaround is just to increase the size of the DHCP scope, however I am reluctant to create a very large subnet.  The only other way I can thing of is to create new AD groups, splitting staff into the groups and getting ISE to use different VLAN tags for each AD group.  However we have a lot of staff and the administrative overhead for this approach will not be welcomed by the Server team.

 

Is there any other way I can split staff onto more than one VLAN using the ISE?

Labels:
0 Helpful
2 Replies 2

craig.beck
Level 1
Level 1

‎06-21-2018 07:32 AM

Use interface groups at the WiSM, then use the Airespace-Interface-Name attribute to tell the WLC which interface-group name to use, rather than the VLAN.

 

Using interface-groups, the WLC will choose which VLAN to put the client on based on which interfaces are in the interface-group.  You could have up-to 64 interfaces in an interface-group at the WiSM2, so if you don't like large subnets you could create up-to 64 /24 subnets (they can be bigger or smaller though) and add them to one interface-group, then attach that to the WLAN.

terrywatson651
Level 1
Level 1
In response to craig.beck

‎06-28-2018 12:46 AM

Hi

Sorry for the delayed response, been on holiday.  Yes this has proved to be the solution, so thank you for taking the tine to respond.

Regards

 

Terry

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents