Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
9
Replies

Cisco av-pairs SSID vs Dynamic Vlan Assignment

Konstantin Kabassanov
Level 1
Level 1

‎01-14-2015 03:54 AM - edited ‎07-05-2021 02:16 AM

Hello,

Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.

If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.

Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).

So the question is if a working alternative to SSID av-pairs exists.

Thanks.     

Labels:
0 Helpful
9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame

‎01-14-2015 04:25 AM

To be honest, I have never heard of this SSID av-pair ever working in wireless:)

You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  

You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

Konstantin Kabassanov
Level 1
Level 1
In response to Scott Fella

‎01-15-2015 09:51 AM

Scott, SSID av-pair worked pretty well on autonomous APs. User is simply allowed to associate or not if the SSID network he tries to connect to is the same as the one in the av-pair...

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Konstantin Kabassanov

‎01-15-2015 10:47 AM

That is called-station-id on the radius policy.

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

Konstantin Kabassanov
Level 1
Level 1
In response to Scott Fella

‎01-15-2015 11:10 AM

Pardon?

The called-station-id is the AP on which the client tries to connect to. It receives a reply from radius server with eventually the av-pair: "SSID=MySSID". Then it tries to match this SSID with the one the client tries to use, and if success then it allows the connection.

 

Konstantin  

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Konstantin Kabassanov

‎01-15-2015 11:33 AM

From what you mentioned here, "User is simply allowed to associate or not if the SSID network he tries to connect to", called-station-id can be used.  yes the AP sends the information to radius and your policy can send and accept or reject based off of the rules, which includes the called-station-id.  Again, I don't know of any av-pair that switches SSID's.

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

Viten Patel
Cisco Employee
Cisco Employee

‎01-15-2015 07:15 AM

Hi,

i dont necessarily agree that all broadcast traffic from all vlans will be forwarded to all other vlans.

wondering if you have a over the air sniff to show that.

you can enable igmp snooping to at least limit the forwarding of multicast traffic to only desired clients over the air.

0 Helpful

Konstantin Kabassanov
Level 1
Level 1
In response to Viten Patel

‎01-15-2015 08:24 AM

Viten,

My concern is over the air. Since the bssid remains the same for all clients and the destination ethernet address is the broadcast one, there is no way (IMHO) to ignore packets from a vlan the client does not belong to... Typically IPv6 RAs...

0 Helpful

Viten Patel
Cisco Employee
Cisco Employee
In response to Konstantin Kabassanov

‎01-15-2015 08:26 AM

Hi, but how many clients are you expecting on a single AP radio?

 

also, you can have ACLs to block the broadcast if you want to ignore that traffic.

0 Helpful

Konstantin Kabassanov
Level 1
Level 1
In response to Viten Patel

‎01-15-2015 09:48 AM

Even with only 2 clients, if they are on different vlans, they will both take broadcast trafic from the 2 vlans (IPv6 autoconf for instance and they will create their ipv6 addresses on both networks)).

Let's say we are talking about "multicast" traffic. It is rather difficult to block it completely, and on the other hand you can see all the time similar services using not unicast addresses on multiple vlans.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card