hi to make it clear..

objectives is to have 2 WLANs profiles w different authention method yet bc the same SSID, and each of the WLAN profile tie to their own policy profile (VLAN 10 and VLAN 20).

Can this be done?

thanks for ur time.

add on..

the 2 WLANs bc 1 SSID config method was on cisco live presentation for Wifi 6E migration.

but it does not explain much on the different policy profile (VLANs) after authentication.

   - In general you can also according to the picture you mentioned and https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213911-understand-catalyst-9800-wireless-contro.html#toc-hId-650926228    check item 2.   on the FAQ.

   But the WLAN profiles  must be different , check https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/newconfigmodel/b_catalyst-9800-configuration-model/m_configuring-wlans.html
  for configuration details.

  - When finalizing a 9800 configuration , make a checkup of it by using the CLI command
     show tech wireless and feed the output from that into Wireless Config Analyzer
                Use the full command as mentioned in green , do not use a simple show tech as input for
                this procedure.

                   Consider the above mandatory for solid management of 9800 wireless controllers.

for item 2 in FAQs,  i think u mis-read.

same ssid, 2 different wlan profile (different authentication) - 2 different policy profile (VLAN10 and VLAN20) all in 1 policy tag.

  - Great you can correct me , but read : https://forum.huawei.com/enterprise/en/how-do-i-find-my-ssid/thread/696104506745569280-667213855346012160

   So in general , wireless clients may get confused or taking wrong decisions , for instance for 6GHz differentiation 
  an  SSID  can l be presented as in :  company_6GHz
  For your purpose , it is best to take the same approach =>  give it  meaning full (other) name as to it's purpose ; for both purposes

 M.

i did a test.

my clients authenticated thru wlan profile A is getting IP address randomly from Policy profile A; and some from  Policy profile B..... and not all to the Policy profile A it is tie to.

you encounter this issue?

We have not encountered an issue like that because we do not have a big "fat" subnet.  We broke our subnets into /24 or /23 chunks and then we group them using VLAN Groups.  This way, we can break one subnet without affecting everybody else.  

This means even though we have different WLAN Profile names, they all go down the same VLAN Groups and assigned to the appropriate IP address subnet.

help me be clear...

what u mean is all your different Policy profiles all point to the same VLAN group; and this single VLAN group comprise of different smaller /24 or /23 subnets???

in this case, won't the wifi clients authenticating to different WLAN profiles all get IP address from random VLANs (same VLAN group)???

is there a way to keep WLAN profile A >>> policy profile A (subnet) etc??

---

@Charlie Grey wrote:
what u mean is all your different Policy profiles all point to the same VLAN group; and this single VLAN group comprise of different smaller /24 or /23 subnets???

---

Yes.  

---

@Charlie Grey wrote:

in this case, won't the wifi clients authenticating to different WLAN profiles all get IP address from random VLANs (same VLAN group)???

---

Remember, the same SSID.  The only thing different is the Profile Name.  This means the authentication method, in this case web authentication is the same.