Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1019
Views
15
Helpful
6
Replies

can we integrate SDA with non-cisco Radius for dynamic VLAN asignment?

Go to solution
hashimwajid1
Level 3
Level 3

‎06-27-2022 10:40 AM - edited ‎06-27-2022 10:59 AM

Hi,

 

we want to integrate SDA Fabric DNAC with FortiAuthenticator for single Wireless SSID authentication with multiple dynamic VLAN assignment based on AD user groups.

 

single SSID = if user belongs to CORP then assign vlan 10 but if user belong to HR then assign vlan 20

 

DNAC integrated with 9800 controller and all wireless configuration manged by DNAC. can somebody explain which Radius attributes we should configure on Radius server and how DNAC will interpret these Radius configuration.

 

we don't assign manual VLAN on DNAC for IP Subnets then how DNAC will understand the dynmaic VLAN assign by non-cisco Radius?

 

 

Many Thanks

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to hashimwajid1

‎06-27-2022 09:31 PM

Hi hashimwajid1, in the DNA Center SD-Access app, when you add an IP pool to an Layer 3 Virtual Network, you have an opportunity to name the access VLAN and give the access VLAN a number. DNA Center provisions the VLAN name and number to the 9800 fabric WLC and the Fabric Edge switches. When a wireless endpoint authenticates to a fabric SSID the RADIUS transaction is between 9800 fabric WLC and RADIUS server. The Tunnel-Private-Group-ID RADIUS attribute is sent from RADIUS server to WLC with RADIUS access-accept. DNA Center never receives or interprets RADIUS packets used for endpoint authentication and authorization. Regards, Jerome

View solution in original post

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to hashimwajid1

‎06-27-2022 10:35 PM

Hi hashimwajid1 , the Tunnel-Private-Group-ID takes priority over static SSID to IP Pool mapping. Static SSID to IP Pool mapping is only used when Tunnel-Private-Group-ID attribute is missing from RADIUS access-accept. Regards, Jerome

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Flavio Miranda
VIP
VIP

‎06-27-2022 12:16 PM

Hi

 We have discussion here about DNAC with thirty part radius:

https://community.cisco.com/t5/cisco-digital-network/dna-center-using-forescout/m-p/4598640#M5296 

 

DNAC use PXGRID in order to communicate with the Radius server.  And DNAC have knowlegde of vlans if you are doing fabric. If you are not doing it through DNAC, you may not be using fabric.

 

 

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎06-27-2022 07:40 PM - edited ‎06-27-2022 07:42 PM

Hi hashimwajid1, regardless of SD-Access or no SD-Access the wireless design solution in DNA Cente allows per-SSID AAA server designation, so the answer is yes, you can use a different RADIUS server for a specific SD-Access fabric SSID:

 

aaa_server.jpg

In this screen shot 10.67.33.57 is an ISE PSN and 1.1.1.1 is a 3rd party RADIUS server.

 

Any RADIUS server can set the access network for an SD-Access wireless client using the standard RADIUS attribute

Tunnel-Private-Group-ID = VLAN name or VLAN ID ,  if the 9800 WLC is running IOS XE 16.11 or later.

 

Best regards, Jerome

 

Go to solution
hashimwajid1
Level 3
Level 3
In response to jedolphi

‎06-27-2022 08:25 PM - edited ‎06-27-2022 09:20 PM

Hi jedolphi,

Thanks for your reply, in my case cat 9800 wlc is manged by DNAC and we don't configure any VLAN number or name in DNAC as DNAC automatically assign vlan ID as we just create IP Subnet Pool in DNAC and map this IP subnet pool with SSID.

My question is how DNAC will understand this radius attribute or what to configure in radius attribute so DNAC should be able to understand VLAN name or VLAN name = IP Pool subnet in DNAC?

 

I've single SSID and want to dynamically assign VLAN based on AD group authentication, in that case how DNAC will interpret the VLAN ID or VLAN name which we configure on Radius server as in DNAC we use IP SUBNET POOL and map with SSID.

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to hashimwajid1

‎06-27-2022 09:31 PM

Hi hashimwajid1, in the DNA Center SD-Access app, when you add an IP pool to an Layer 3 Virtual Network, you have an opportunity to name the access VLAN and give the access VLAN a number. DNA Center provisions the VLAN name and number to the 9800 fabric WLC and the Fabric Edge switches. When a wireless endpoint authenticates to a fabric SSID the RADIUS transaction is between 9800 fabric WLC and RADIUS server. The Tunnel-Private-Group-ID RADIUS attribute is sent from RADIUS server to WLC with RADIUS access-accept. DNA Center never receives or interprets RADIUS packets used for endpoint authentication and authorization. Regards, Jerome

Go to solution
hashimwajid1
Level 3
Level 3
In response to jedolphi

‎06-27-2022 09:40 PM

Hi Jedolphi,

 

this explanation is very helpful, one last thing in that case when we assign SSID with single IP POOL on DNAC but actually we are using multiple IP subnet Pool  based on different AD Group authentication against single SSID then that SSID to IP POOL mapping would be override on DNAC ?

 

 

 

 

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to hashimwajid1

‎06-27-2022 10:35 PM

Hi hashimwajid1 , the Tunnel-Private-Group-ID takes priority over static SSID to IP Pool mapping. Static SSID to IP Pool mapping is only used when Tunnel-Private-Group-ID attribute is missing from RADIUS access-accept. Regards, Jerome

0 Helpful
Customers Also Viewed These Support Documents