Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
3
Helpful
4
Replies

SDA Fabric Wireless & dynamic vlan authorisation!

JonathanC1
Level 1
Level 1

‎08-21-2023 08:49 AM

Hi Folks,

Just wondering if this is possible. I look at DNAC and in the fabric site SSIDs i have to assign an IP pool. If I wanted an SSID VLAN to be deterministic of a dynamic VLAN from ISE is this not possible?

Thanks

J

Labels:
0 Helpful
4 Replies 4

Preston Chilcote
Cisco Employee
Cisco Employee

‎08-21-2023 09:03 AM

I may not completely understand the question, but this might be a good document for you to review:

https://community.cisco.com/t5/networking-knowledge-base/sd-access-authentication-policy-naming-best-practice/ta-p/4032898

Basically, the IP Pool in DNA can be given any name you want and it's up to ISE to use that same name in it's Authorization Profile to make sure that the Edge Switch has a matching VLAN during host onboarding.

0 Helpful

jedolphi
Cisco Employee
Cisco Employee

‎08-23-2023 10:45 PM

Hi Jonathan, the mapping of an Fabric SSID to an IP pool in the SD-Access UI is instantiated in the SD-Access network if there's a RADIUS access-accept with no VLAN name. If the customer has 9800 WLC running IOS XE 16.11 or later then your RADIUS server may send optionally the VLAN name with the access-accept, assuming the segment/VLAN has been enabled for wireless in the SD-Access UI e.g. this is from a lab ISE instance and can be used for authorization of Fabric-Enabled Wireless clients:

Screenshot 2023-08-24 at 3.42.48 pm.png

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to jedolphi

‎08-24-2023 01:19 AM - edited ‎08-24-2023 01:20 AM

Hi Jerom
with what Jonny refers to we want to unbind SDA SSID from the static VLAN assignment, by assigning VLAN dynamically. & thus making this SSID universal landing point for any wireless usecases (assuming that AAA configured on that SSID serves all defined use-cases with single method of AAA - either DOT1X or PSK or captive portal etc). Thus from the perspective of 1st 2 methods need to statically assign IP-pool to such SSID looks purposeless. or do i get topic wrong? 

 

 

jedolphi
Cisco Employee
Cisco Employee
In response to andy!doesnt!like!uucp

‎08-24-2023 01:42 AM

Yo Andy. There's a long history here including retroactive support for older iterations of the technology inc AireOS WLCs. Short answer: today you cannot unbind the fabric SSID from a VLAN in the SD-Access UI, but you CAN send VLAN name for every wireless user in RADIUS access-accept, which essentially renders the static SSID-VLAN binding obsolete because RADIUS attribute takes priority. Hope that makes sense? If you'd prefer to have the UI updated to remove the not-really-mandatory SSID-VLAN relationship please to click "make a wish"  in the SD-Access UI (click the question mark in the top right corner) and leave that feedback with some solid reasoning/justification, which will be sent to my team for consideration and prioritization. Thanks, Jerome

Customers Also Viewed These Support Documents