due to some circumstances i have to provide dynamic vlan assignment for one SSID. there are different user groups within this ssid and one particular group (users are part of a special windows domain) must be moved to special vlans. furthermore i want to keep the broadcast domains small (we are talking of 2000 people in a building with 8 floors). and last fact is that i use ap-groups because i have to provide several ssids in different areas. up to now (without dynamic assignment) i simply moved the ssid within each ap-group to a different vlan.
moreover i only get one attribute from the radius server for all users that have to use dynamic vlan assignemnt. so at the end: the radius server provides one attribute and this must be mapped on the controller to different vlans.
is there any "best" feature i can use for that.
i found these options:
is there any other, better possibility?
br + thx
If your Radius server allows it, you could make an algorithm on it that issues a vlan number based on userid. We convert all characters in the userid to numbers and boil this down to a vlan number, so every user will always get the same vlan, regardless of the SSID or AP Group.
thanks for your answer.
in our situation it doesn´t help us if one client always gets the same vlan, doesn´t matter where he is. every client within a special area (per floor) should get the same vlan. in another floor he should get a different one.
i know: in theory we could build up a database onm the radius server and dependent on the location the vlan is sent back. but this is a very complex solution i want to prevent. it is only "allowed" to solve the problem on WLC GUI/CLI ;-)
nevertheless this is an interesting solution, maybe useful for other approaches. which radius server are you using?
We use Radiator. The algorithm I mentioned is written in Perl.
You could write a similar algorithm to issue vlan numbers based on the access point's MAC address instead of the userid. The wireless controllers report this MAC to the Radius server in authentication requests.
I went with using FlexConnect and aaa-override. Then our radius-server (NPS on Win2012r2) sends back the VLAN depending on which Active Directory group the user is located in. Works like a charm!
VLAN100 - Regular clients
VLAN200 - Special clients
SSID - CompanyX
Alice is a regular client and Bob is a special client.
Alice walks into the office and connects to SSID CompanyX, the radius-server checks the active directory and sees that Alice is a regular client due to the AD-group she belongs to and sends back vlan100 as a response and Alice gets to join vlan100. Later Bob walks into the office and also connects to SSID CompanyX, the radius-server sees that Bob is in the special AD-group and sends back vlan200. Bob gets put on vlan200.