Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1227
Views
10
Helpful
3
Replies

cisco wlc 9800 assign a ssid with realm vlan

Go to solution
unsuspecting user
Level 1
Level 1

‎09-01-2020 01:25 AM - edited ‎07-05-2021 12:27 PM

Hello everyone,
i have a question regarding 802.1x and realms on a C9800 on 16.12.03.
I would like to have a SSID for all users who want to join the realm user@test.com in vlan 10.
This works as well, the Authentication with an accept lets the client join.
But now I would like to have the same SSID for the clients with the realm user@other.test.com only in vlan 11.
Other users with user@other2.test.com in vlan 12 and so on.

Does the VLAN have to come from the Free Radius Server, or is an acceppt from the Radius Server enough?
Is it possible to choose in which VLAN the client should be connected via the Cisco 9800 Controller (a rule that changes realms to vlan)?

 

Is there a term that explains this procedure?
I have seen this procedure on a WISM2, but I don't know what it is called.
I also don't know if the VLAN assignment of the realm is sent by the Free Radius server.

 

Thanks a lot

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎09-01-2020 05:42 AM

Vlan assignment always come from the radius server. If the radius server supports that to AireOS then you are good. I would with ISE and also Microsoft NPS back in the days and it’s the rules that you specify that will allow you to differentiate between the username in your case. The use of regex in the polices is what you need. You might want to hit up the forum for the radius server you are using to get a better idea of how to implement that on their solution.
-Scott
*** Please rate helpful posts ***

View solution in original post

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to unsuspecting user

‎09-01-2020 10:05 PM

AAA override is required if you plan on accepting change provided from the radius server. Without that enabled, the controller will not accept any change that the radius server sends.
-Scott
*** Please rate helpful posts ***

View solution in original post

3 Replies 3

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎09-01-2020 05:42 AM

Vlan assignment always come from the radius server. If the radius server supports that to AireOS then you are good. I would with ISE and also Microsoft NPS back in the days and it’s the rules that you specify that will allow you to differentiate between the username in your case. The use of regex in the polices is what you need. You might want to hit up the forum for the radius server you are using to get a better idea of how to implement that on their solution.
-Scott
*** Please rate helpful posts ***

Go to solution
unsuspecting user
Level 1
Level 1
In response to Scott Fella

‎09-01-2020 09:57 PM

Hi, Scott,
thank you for your quick response.
I thought it was important to mention.
Of course the trunk must have the VLAN you want to use.
And I think the function "AAA Override" must be activated as well, I'll test this in a moment.

Many greetings

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to unsuspecting user

‎09-01-2020 10:05 PM

AAA override is required if you plan on accepting change provided from the radius server. Without that enabled, the controller will not accept any change that the radius server sends.
-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card