06-27-2022 10:40 AM - edited 06-27-2022 10:59 AM
Hi,
we want to integrate SDA Fabric DNAC with FortiAuthenticator for single Wireless SSID authentication with multiple dynamic VLAN assignment based on AD user groups.
single SSID = if user belongs to CORP then assign vlan 10 but if user belong to HR then assign vlan 20
DNAC integrated with 9800 controller and all wireless configuration manged by DNAC. can somebody explain which Radius attributes we should configure on Radius server and how DNAC will interpret these Radius configuration.
we don't assign manual VLAN on DNAC for IP Subnets then how DNAC will understand the dynmaic VLAN assign by non-cisco Radius?
Many Thanks
Solved! Go to Solution.
06-27-2022 09:31 PM
Hi hashimwajid1, in the DNA Center SD-Access app, when you add an IP pool to an Layer 3 Virtual Network, you have an opportunity to name the access VLAN and give the access VLAN a number. DNA Center provisions the VLAN name and number to the 9800 fabric WLC and the Fabric Edge switches. When a wireless endpoint authenticates to a fabric SSID the RADIUS transaction is between 9800 fabric WLC and RADIUS server. The Tunnel-Private-Group-ID RADIUS attribute is sent from RADIUS server to WLC with RADIUS access-accept. DNA Center never receives or interprets RADIUS packets used for endpoint authentication and authorization. Regards, Jerome
06-27-2022 10:35 PM
Hi hashimwajid1 , the Tunnel-Private-Group-ID takes priority over static SSID to IP Pool mapping. Static SSID to IP Pool mapping is only used when Tunnel-Private-Group-ID attribute is missing from RADIUS access-accept. Regards, Jerome
06-27-2022 12:16 PM
Hi
We have discussion here about DNAC with thirty part radius:
https://community.cisco.com/t5/cisco-digital-network/dna-center-using-forescout/m-p/4598640#M5296
DNAC use PXGRID in order to communicate with the Radius server. And DNAC have knowlegde of vlans if you are doing fabric. If you are not doing it through DNAC, you may not be using fabric.
06-27-2022 07:40 PM - edited 06-27-2022 07:42 PM
Hi hashimwajid1, regardless of SD-Access or no SD-Access the wireless design solution in DNA Cente allows per-SSID AAA server designation, so the answer is yes, you can use a different RADIUS server for a specific SD-Access fabric SSID:
In this screen shot 10.67.33.57 is an ISE PSN and 1.1.1.1 is a 3rd party RADIUS server.
Any RADIUS server can set the access network for an SD-Access wireless client using the standard RADIUS attribute
Tunnel-Private-Group-ID = VLAN name or VLAN ID , if the 9800 WLC is running IOS XE 16.11 or later.
Best regards, Jerome
06-27-2022 08:25 PM - edited 06-27-2022 09:20 PM
Hi jedolphi,
Thanks for your reply, in my case cat 9800 wlc is manged by DNAC and we don't configure any VLAN number or name in DNAC as DNAC automatically assign vlan ID as we just create IP Subnet Pool in DNAC and map this IP subnet pool with SSID.
My question is how DNAC will understand this radius attribute or what to configure in radius attribute so DNAC should be able to understand VLAN name or VLAN name = IP Pool subnet in DNAC?
I've single SSID and want to dynamically assign VLAN based on AD group authentication, in that case how DNAC will interpret the VLAN ID or VLAN name which we configure on Radius server as in DNAC we use IP SUBNET POOL and map with SSID.
06-27-2022 09:31 PM
Hi hashimwajid1, in the DNA Center SD-Access app, when you add an IP pool to an Layer 3 Virtual Network, you have an opportunity to name the access VLAN and give the access VLAN a number. DNA Center provisions the VLAN name and number to the 9800 fabric WLC and the Fabric Edge switches. When a wireless endpoint authenticates to a fabric SSID the RADIUS transaction is between 9800 fabric WLC and RADIUS server. The Tunnel-Private-Group-ID RADIUS attribute is sent from RADIUS server to WLC with RADIUS access-accept. DNA Center never receives or interprets RADIUS packets used for endpoint authentication and authorization. Regards, Jerome
06-27-2022 09:40 PM
Hi Jedolphi,
this explanation is very helpful, one last thing in that case when we assign SSID with single IP POOL on DNAC but actually we are using multiple IP subnet Pool based on different AD Group authentication against single SSID then that SSID to IP POOL mapping would be override on DNAC ?
06-27-2022 10:35 PM
Hi hashimwajid1 , the Tunnel-Private-Group-ID takes priority over static SSID to IP Pool mapping. Static SSID to IP Pool mapping is only used when Tunnel-Private-Group-ID attribute is missing from RADIUS access-accept. Regards, Jerome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide