Cisco Access Point authentication with Radius server, "dynamic vlan"

asdrewaqf · ‎12-14-2023

Hello Team,

I'm seeking your support to configure dynamic VLANs on the AIR-SAP1602 series 802.11n Access Point. Currently, our Radius server is operational with two policies:

First Policy: Designed for admins with VLAN 21 assignment.
Second Policy: Intended for staff members with VLAN 20 assignment.

I need guidance on configuring the access point to enable a single SSID, let's call it "X." The goal is to ensure that when an admin user connects to the "X" SSID, they obtain an IP from VLAN 21, while staff users connecting to the same "X" SSID should receive an IP from VLAN 20.

Thank you.

balaji.bandi · ‎12-14-2023

what radius you have , how is user authentication process (AD ?)

look below threads help you :

https://community.cisco.com/t5/wireless/single-ssid-with-multiple-vlans/td-p/1496917

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/service-set-identifier-ssid/210516-SSIDs-and-VLANs-configuration-on-Autonom.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asdrewaqf · ‎12-14-2023

it's a radius server (NPS) that authenticates with Active directory AD ,,, the process is the user will connect to "X" SSID with domain NT credentials and the AP will try to connect with the radius server to check the credentials match on which policy if he's an admin user will take vlan 21 and if the user staff will take vlan 20,

the question is when the attribute came back to the access point how come it would make that user on VLAN 21 or 20

can a single SSID work on 2 different VLANs?
How can I configure that from the access point side?

Scott Fella · ‎12-14-2023

This will only work if your ap has an option for aaa override. This feature is usually found on controllers or ap's that function as controllers. I don't think your ap if its standalone supports this.

-Scott
*** Please rate helpful posts ***

MHM Cisco World · ‎12-14-2023

This can done by wlc instead of map your wlan (wlan edit) to one vlan map it to vlan-group

Group contain two vlan and radius retrun the value of vlan for each user.

Try this way

MHM

asdrewaqf · ‎12-15-2023

okay i got you, i can assure my access point is (autonomous AP, Standalone) not a controller AP and i don't have a WLC for doing the above steps:-

do u know any other ways i can use the standalone AP with dynamic VLAN assignment, or assign a single SSID to multiple VLANs based on the attributes that i can get from the Microsoft radius server

Scott Fella · ‎12-16-2023

@asdrewaqf If you look at the configuration guide for the ap/code you are using, that should provide you with what you can and can't do. Like I mentioned before, I doubt that your standalone ap can do this, because it doesn't support it. If this is something you need, then you need to look at upgrading to something with more functionality and that is also supported.

-Scott
*** Please rate helpful posts ***

Rich R · ‎12-17-2023

The config guide suggests that it might be supported on the autonomous AP!
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3/cg15-3-3-chap14-vlan.html#31209

Using a RADIUS Server to Assign Users to VLANs

You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network.

Note Unicast and multicast cipher suites advertised in WPA or RSN Information Element information element (and negotiated during 802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the previously negotiated cipher suite, there is no way for the access point and client to switch back to the new cipher suite. Currently, WPA, WPA2 and CCKM protocols do not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the wireless LAN.

The VLAN-mapping process consists of these steps:

1. A client device associates to the access point using any SSID configured on the access point.

2. The client begins RADIUS authentication.

3. When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

asdrewaqf · ‎12-25-2023

THANK YOU VERY MUCH GUYS it worked, the dynamic VLAN worked with the standalone AP with configuring any WLCs