cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1359
Views
15
Helpful
6
Replies

can we integrate SDA with non-cisco Radius for dynamic VLAN asignment?

hashimwajid1
Level 3
Level 3

Hi,

 

we want to integrate SDA Fabric DNAC with FortiAuthenticator for single Wireless SSID authentication with multiple dynamic VLAN assignment based on AD user groups.

 

single SSID = if user belongs to CORP then assign vlan 10 but if user belong to HR then assign vlan 20

 

DNAC integrated with 9800 controller and all wireless configuration manged by DNAC. can somebody explain which Radius attributes we should configure on Radius server and how DNAC will interpret these Radius configuration.

 

we don't assign manual VLAN on DNAC for IP Subnets then how DNAC will understand the dynmaic VLAN assign by non-cisco Radius?

 

 

Many Thanks

 

 

2 Accepted Solutions

Accepted Solutions

Hi hashimwajid1, in the DNA Center SD-Access app, when you add an IP pool to an Layer 3 Virtual Network, you have an opportunity to name the access VLAN and give the access VLAN a number. DNA Center provisions the VLAN name and number to the 9800 fabric WLC and the Fabric Edge switches. When a wireless endpoint authenticates to a fabric SSID the RADIUS transaction is between 9800 fabric WLC and RADIUS server. The Tunnel-Private-Group-ID RADIUS attribute is sent from RADIUS server to WLC with RADIUS access-accept. DNA Center never receives or interprets RADIUS packets used for endpoint authentication and authorization. Regards, Jerome

View solution in original post

Hi hashimwajid1 , the Tunnel-Private-Group-ID takes priority over static SSID to IP Pool mapping. Static SSID to IP Pool mapping is only used when Tunnel-Private-Group-ID attribute is missing from RADIUS access-accept. Regards, Jerome

View solution in original post

6 Replies 6

Hi

 We have discussion here about DNAC with thirty part radius:

https://community.cisco.com/t5/cisco-digital-network/dna-center-using-forescout/m-p/4598640#M5296 

 

DNAC use PXGRID in order to communicate with the Radius server.  And DNAC have knowlegde of vlans if you are doing fabric. If you are not doing it through DNAC, you may not be using fabric.

 

 

jedolphi
Cisco Employee
Cisco Employee

Hi hashimwajid1, regardless of SD-Access or no SD-Access the wireless design solution in DNA Cente allows per-SSID AAA server designation, so the answer is yes, you can use a different RADIUS server for a specific SD-Access fabric SSID:

 

aaa_server.jpg

In this screen shot 10.67.33.57 is an ISE PSN and 1.1.1.1 is a 3rd party RADIUS server.

 

Any RADIUS server can set the access network for an SD-Access wireless client using the standard RADIUS attribute

Tunnel-Private-Group-ID = VLAN name or VLAN ID ,  if the 9800 WLC is running IOS XE 16.11 or later.

 

Best regards, Jerome

 

Hi jedolphi,

Thanks for your reply, in my case cat 9800 wlc is manged by DNAC and we don't configure any VLAN number or name in DNAC as DNAC automatically assign vlan ID as we just create IP Subnet Pool in DNAC and map this IP subnet pool with SSID.

My question is how DNAC will understand this radius attribute or what to configure in radius attribute so DNAC should be able to understand VLAN name or VLAN name = IP Pool subnet in DNAC?

 

I've single SSID and want to dynamically assign VLAN based on AD group authentication, in that case how DNAC will interpret the VLAN ID or VLAN name which we configure on Radius server as in DNAC we use IP SUBNET POOL and map with SSID.

Hi hashimwajid1, in the DNA Center SD-Access app, when you add an IP pool to an Layer 3 Virtual Network, you have an opportunity to name the access VLAN and give the access VLAN a number. DNA Center provisions the VLAN name and number to the 9800 fabric WLC and the Fabric Edge switches. When a wireless endpoint authenticates to a fabric SSID the RADIUS transaction is between 9800 fabric WLC and RADIUS server. The Tunnel-Private-Group-ID RADIUS attribute is sent from RADIUS server to WLC with RADIUS access-accept. DNA Center never receives or interprets RADIUS packets used for endpoint authentication and authorization. Regards, Jerome

Hi Jedolphi,

 

this explanation is very helpful, one last thing in that case when we assign SSID with single IP POOL on DNAC but actually we are using multiple IP subnet Pool  based on different AD Group authentication against single SSID then that SSID to IP POOL mapping would be override on DNAC ?

 

 

 

 

Hi hashimwajid1 , the Tunnel-Private-Group-ID takes priority over static SSID to IP Pool mapping. Static SSID to IP Pool mapping is only used when Tunnel-Private-Group-ID attribute is missing from RADIUS access-accept. Regards, Jerome

Review Cisco Networking for a $25 gift card