cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1263
Views
7
Helpful
8
Replies

Cisco Access Point authentication with Radius server, "dynamic vlan"

asdrewaqf
Level 1
Level 1

 

Hello Team,

I'm seeking your support to configure dynamic VLANs on the AIR-SAP1602 series 802.11n Access Point. Currently, our Radius server is operational with two policies:

  1. First Policy: Designed for admins with VLAN 21 assignment.
  2. Second Policy: Intended for staff members with VLAN 20 assignment.

I need guidance on configuring the access point to enable a single SSID, let's call it "X." The goal is to ensure that when an admin user connects to the "X" SSID, they obtain an IP from VLAN 21, while staff users connecting to the same "X" SSID should receive an IP from VLAN 20.

Thank you.

8 Replies 8

it's a radius server (NPS) that authenticates with Active directory AD ,,, the process is the user will connect to "X" SSID with domain NT credentials and the AP will try to connect with the radius server to check the credentials match on which policy if he's an admin user will take vlan 21 and if the user staff will take vlan 20, 

the question is when the attribute came back to the access point how come it would make that user on VLAN 21 or 20

can a single SSID work on 2 different VLANs? 
How can I configure that from the access point side?

This will only work if your ap has an option for aaa override.  This feature is usually found on controllers or ap's that function as controllers.  I don't think your ap if its standalone supports this.

-Scott
*** Please rate helpful posts ***

This can done by wlc instead of map your wlan (wlan edit) to one vlan map it to vlan-group

Group contain two vlan and radius retrun the value of vlan for each user.

Try this way

MHM

asdrewaqf
Level 1
Level 1

okay i got you, i can assure my access point is (autonomous AP, Standalone) not a controller AP and i don't have a WLC for doing the above steps:-

do u know any other ways i can use the standalone AP with dynamic VLAN assignment, or assign a single SSID to multiple VLANs based on the attributes that i can get from the Microsoft radius server

@asdrewaqf If you look at the configuration guide for the ap/code you are using, that should provide you with what you can and can't do.  Like I mentioned before, I doubt that your standalone ap can do this, because it doesn't support it.  If this is something you need, then you need to look at upgrading to something with more functionality and that is also supported.

-Scott
*** Please rate helpful posts ***

Rich R
VIP
VIP

The config guide suggests that it might be supported on the autonomous AP!
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3/cg15-3-3-chap14-vlan.html#31209

Using a RADIUS Server to Assign Users to VLANs

You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network.

Note Unicast and multicast cipher suites advertised in WPA or RSN Information Element information element (and negotiated during 802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the previously negotiated cipher suite, there is no way for the access point and client to switch back to the new cipher suite. Currently, WPA, WPA2 and CCKM protocols do not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the wireless LAN.

The VLAN-mapping process consists of these steps:

1. A client device associates to the access point using any SSID configured on the access point.

2. The client begins RADIUS authentication.

3. When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point.

asdrewaqf
Level 1
Level 1

THANK YOU VERY MUCH GUYS it worked, the dynamic VLAN worked with the standalone AP with configuring any WLCs

Review Cisco Networking for a $25 gift card