Buy or Renew
Buy or Renew
This forum will be in read-only mode April 11th - May 9th to improve post findability. Watch this post for updates
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2137
Views
4
Helpful
12
Replies

Cisco Business 150AX - Vlan limitation with 802.1x

insys
Level 1
Level 1

‎04-02-2023 12:51 PM

Hello,

I have a question regarding Cisco Business 150AX. I want to set up 802.1x authentication (using a RADIUS/NPS server) with dynamic VLAN assignment.

I noticed that there is a limitation of 16 VLANs, but I couldn't find anywhere if this limitation is static or dynamic. In other words, is it possible to have more than 16 VLANs via 802.1x?

Since I'm going to have to trunk between my switch and the terminal, does the limit apply at the trunk level or at the AP level itself? Or does it have to do with the number of simultaneously active VLANs?

Thank you very much for your help. I have spent a lot of time looking for this information on the internet and in the documentation, but I have not found anything about this.

Sincerely,

0 Helpful
12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame

‎04-02-2023 01:54 PM

Why do you need so many VLAN ?

-  Segmentation via VLANs (up to 16)

 

  • You can associate up to 16 WLANs with the CBW Primary AP and create a total of 16 WLANs. Cisco recommends a maximum of 4 WLANs. The Primary AP assigns all the configured WLANs to all the connected APs.

admin guide may help you :

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/csbap/CBW_WiFi_6/Admin_Guide/b_cisco_business_wifi_6_admin_guide/m_4_wireless_settings.html?bookSearch=true#id_129425

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

insys
Level 1
Level 1
In response to balaji.bandi

‎04-02-2023 02:06 PM - edited ‎04-02-2023 02:08 PM

Thanks for your message!

I need to deploy an infrastructure for a small number of users, but it needs to be split into multiple VLANs because different companies use the same equipment. I have about 8 departments per company (I configure 1 VLAN per department), and there are 5 companies (that's 48 VLANs just for internal users). That's why I need so many VLANs...

So, if I understand the documentation correctly, I should create a WLAN for each VLAN I have on the trunk connected to the access point (I will use the same SSID) ?

So the equipment would not correspond to my use case ?

Sincerly

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to insys

‎04-02-2023 02:30 PM

This is AP  can only support a maximum of users 25 and up to 16 VLAN -  if your requirement is different then You need to uplift the model of AP to support that features.

So, if I understand the documentation correctly, I should create a WLAN for each VLAN I have on the trunk connected to the access point (I will use the same SSID) ?   --< yes each VLAN tag to watch WLAN (or SSID)  if you are using only one SSID you do not have many WLAN and VLAN (i guess) - you can use up to 16 WLANs, so you have 8 departments 8 SSID is good here i guess.

Bare in More SSID mean more sharing (less SSID be better performances).

So the equipment would not correspond to my use case?  <<- if this requirement very large deployment contact your local Cisco partner to help you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

insys
Level 1
Level 1

‎04-02-2023 03:31 PM

Thank you for your clarification, I continued to read the documentation and I saw that the "Allow AAA Override" could meet my needs without creating several WLANs and therefore not have any limitation?

What do you think about this option?

Thanks a lot!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to insys

‎04-04-2023 04:39 AM

Sure one should test and confirm ( every environment is different)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Maurice_
Level 1
Level 1

‎04-04-2023 06:44 PM

You can indeed use AAA override to assign wireless clients to specific VLANs. These clients can all be connected to the same SSID. The VLAN mapping needs to be provided by the RADIUS server. When using 802.1x, the VLAN IDs are linked to the user accounts. When using PSK, they are linked to the client MAC addresses.

I use such a configuration with a PSK WLAN and it works fine. The main issue here is that you have to add all needed VLANs to the CBW config, but there seems to be no GUI option for doing this. As a workaround, you could create additional, disabled dummy WLANs which are assigned to the needed VLANs. That's how I solved it. But since you can only add 16 WLANs, this also limits you to 16 VLANs.

As an alternative, you could try adding the VLANs to the config directly. Create a config backup and add the VLANs like this:

config flexconnect group default-flexgroup vlan add <vlan-id>

One line for each VLAN. Then restore the config backup. I haven't tried this, but it could work.

Cheers
Maurice

insys
Level 1
Level 1
In response to Maurice_

‎04-05-2023 02:24 AM

Thank you so much for your response and feedback!

So, if I use AAA override with my managed VLAN ID in my RADIUS server, do I still need to add WLANs to be accepted on my access point? Or is this only relevant if I use MAC/PSK? (which is not planned for me).

Regarding FlexConnect, I don't know if the terminal supports this command, as I don't see it mentioned anywhere in the documentation.

Thanks to you, this helps me a lot because it is a very little used case and not much feedback.

0 Helpful

Maurice_
Level 1
Level 1
In response to insys

‎04-05-2023 03:14 AM

All needed VLANs have to be added to the CBW config, even when using AAA override with 802.1x. It won't work if the RADIUS response includes a VLAN ID which isn't already known by the AP.

The FlexConnect command is from the Mobility Express documentation. CBW is a simplified fork of ME, meaning a bunch of features were removed from the GUI, but are probably still there under the hood. ME has a GUI option for explicitly adding VLANs, CBW doesn't. The CBW user guide briefly mentions using AAA override for VLAN assignment but doesn't explain how to add the VLANs. Seems like an oversight to me.

insys
Level 1
Level 1
In response to Maurice_

‎04-05-2023 03:55 AM

Okay, thanks for the clarification, so I may run into limitations then with this terminal if I need more than 16 VLANs (even if they will never be connected at the same time).
I'll try to get a terminal to test or I'll look for another terminal that doesn't have such limitations, but apparently they are much more expensive.

0 Helpful

Maurice_
Level 1
Level 1
In response to insys

‎04-05-2023 06:11 PM

I tried the manual config file editing method real quick. It does work, but there is indeed a hard limit of 16 VLANs (+ native VLAN). I added 50 VLANs, uploaded the config, rebooted and downloaded the config again. All but the first 16 VLANs were gone.

0 Helpful

insys
Level 1
Level 1
In response to Maurice_

‎04-06-2023 02:25 AM

Okay, thanks a lot for the information and your try!
Too bad, it's rather blocking when we need a lot of wham. I'll see if I can find another AP, but other products other than Cisco allow what I want via AAA override, even if they have a limit of 8 or 16 VLANs too.

Thanks a lot

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to insys

‎04-06-2023 10:41 PM

sure you need to test different combinations to work, good - one should have some test lab to test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents