Solved: Device authentication - 1 SSID and Multiple Vlans... IP Mismatch issue

aBITtooTALL68 · ‎02-04-2025

Hello,

Pardon any lack of knowledge, I am still learning and would appreciate any advice.

Problem:

We have multiple buildings sharing the same SSID but with different Vlan assignments via policies applied per APG per building. We noticed that some devices are having trouble reconnecting with the new tagged policy/Vlan after moving from one building to the next. For a better understanding of the problem with simplicity, I have labeled the first building “building 1” with “Vlan 11” and the second building “building 2” with “Vlan 22”.

Both buildings share the same SSID but the matching policy changes per building to apply the correct Vlan. To better describe the issue, a client connects to building 1 and receives Vlan 11 with no issues. The same client leaves building 1, arriving at building 2. When the client tries to connect to building 2, it receives a DHCP request for the new Vlan 22 but the device still remembers the old IP address from vlan 11 and is either unable to connect to the SSID or maintains the original assigned address.

Question:

Is it possible to have users connect to building 2 and acquire the new vlan information? And can this be done without AAA authentication— ie WPA2/3 instead? Ideally we want users to receive the correlating IP address per building without the need to re-enter the password for the same SSID.

Equipment: 9800-40WLC, C9120AXI-B

Client Type: Mac Airbooks M1

Flavio Miranda · ‎02-04-2025

@aBITtooTALL68

Client should roaming between buildings and IP address should not be a problem. WLC is able to maintain the client IP address when it roams to an Access Point connected in a different vlan by creating a l2-roaming.

Sounds like you are missing the command "wireless client vlan-persistent"

You can read more about roaming here

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/cat9800-ser-primer-enterprise-wlan-guide.html

For WLC version 17.3.1 there is a bug that can cause problem

https://bst.cisco.com/bugsearch/bug/CSCvx61114?rfs=qvlogin

View solution in original post

Flavio Miranda · ‎02-04-2025

@aBITtooTALL68

Client should roaming between buildings and IP address should not be a problem. WLC is able to maintain the client IP address when it roams to an Access Point connected in a different vlan by creating a l2-roaming.

Sounds like you are missing the command "wireless client vlan-persistent"

You can read more about roaming here

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/cat9800-ser-primer-enterprise-wlan-guide.html

For WLC version 17.3.1 there is a bug that can cause problem

https://bst.cisco.com/bugsearch/bug/CSCvx61114?rfs=qvlogin

aBITtooTALL68 · ‎02-04-2025

Hello Flavio,

As always thank you so much for the provided information, and quick reply!!

To clarify what you had said, roaming between buildings is absolutely possible as long as the feature vlan-persistence has been enabled on the WLC.

The only question I have remaining is: will the device receive a new IP according to the new building's scoped subnet or will the device maintain the old IP address after roaming?

Thank you!!

Flavio Miranda · ‎02-04-2025

Device will maintain the old IP Address.

Roaming to be seemsly need to keep the IP address and authentication otherwise, it would be disrruptive for clients.

aBITtooTALL68 · ‎02-05-2025

Awesome, thank you so much Flavio! I appreciate it.

Some clients are having trouble reauthenticating when switching buildings, but this is another issue and I will address it on another post.

Thanks again!

Joseph W. Doherty · ‎02-05-2025

BTW, why different VLANs/subnets for same SSID in a WLC environment?

If it's to avoid large subnets, wireless WLC subnets don't have quite the same subnet size scalability issues as wired subnets.

aBITtooTALL68 · ‎02-05-2025

Hello Joseph,

Great question. I work in a school district with multiple buildings, each hosting an array of devices that staff connect to. Each building has multiple unique subnets with the intention to segregate out different types of traffic per building. A good example being our smartboard environment. A teacher is easily able to find/cast to their room's device without sifting through a list of over 200 castable items, and in turn no users outside of that building have access to those devices.

The challenge of this scenario is that many staff members frequently move from building to building. We want users to seamlessly reconnect to the network without a forced reauthentication. That being said, we reuse the same SSID but with unique subnetting per location to accommodate the site change. Unfortunately our current approach is not perfect. We find ourselves flicking off and on the Wifi to renew a dhcp lease when the device refuses to reconnect with the same IP address from the previous building.

Hope that answers your question!

Joseph W. Doherty · ‎02-05-2025

@aBITtooTALL68 wrote:

Hope that answers your question!

It does. To put it another way, you want users to be able to roam, seamlessly to them, but impose different security per physical location, correct?

aBITtooTALL68 · ‎02-05-2025

Exactly this, you nailed it.