07-28-2008 02:14 PM - edited 07-03-2021 04:14 PM
I have 2 4404 WLCs with WCS. I have a WLAN set up to authenticate to a MS IAS Radius server. Users are authenticated using their Active Directory username. I want to set up multiple WLANs and restrict which user can connect to which WLAN, or I can also set up one WLAN but I want to assign an IP address or VLAN dependent on the username. Right now I have 2 WLANs set up using IAS for authentication. In IAS we set up 2 different profiles and each has a different AD group associated to it. Users in both groups can connect to either WLAN. I want particular users to be assigned IP addresses from a specific network. How can I separate this out so that multiple groups of users get different IP addresses?
07-29-2008 04:50 AM
Hi Deanna,
Have you looked into this WLC Feature;
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope this helps!
Rob
07-29-2008 05:57 AM
Rob,
Is there a way to do this with a Microsoft IAS Radius server?
Thanks,
Deanna
07-29-2008 11:52 AM
Deanna,
You should be able to do this, but you'll need to create the values by hand in IAS. These are the numbers that are next to the descriptions in ACS.
I haven't done exactly this configuration in IAS before, but I've passed some Cisco values for enable mode at login based on AD group membership. The concept is the same for what you are doing, just training IAS to respond with the right values based on certain requests.
Here is a good Microsoft KB article with some good references on how to build the custom attributes you'll need. http://support.microsoft.com/kb/283829
Here is a very good example of functional IAS configuration changes to allow login directly to enable mode to work correctly with IAS to get you started. http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
What you want are changes that are looking for requires modifications that are similar.
Combine that background information with the article that Rob pointed to and you should be able to get it working. It might take some trial and error and some debugging to get it right though.
Cody
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide