03-18-2016 03:08 AM - edited 07-05-2021 04:48 AM
Hello,
due to some circumstances i have to provide dynamic vlan assignment for one SSID. there are different user groups within this ssid and one particular group (users are part of a special windows domain) must be moved to special vlans. furthermore i want to keep the broadcast domains small (we are talking of 2000 people in a building with 8 floors). and last fact is that i use ap-groups because i have to provide several ssids in different areas. up to now (without dynamic assignment) i simply moved the ssid within each ap-group to a different vlan.
moreover i only get one attribute from the radius server for all users that have to use dynamic vlan assignemnt. so at the end: the radius server provides one attribute and this must be mapped on the controller to different vlans.
is there any "best" feature i can use for that.
i found these options:
is there any other, better possibility?
br + thx
03-21-2016 06:03 AM
If your Radius server allows it, you could make an algorithm on it that issues a vlan number based on userid. We convert all characters in the userid to numbers and boil this down to a vlan number, so every user will always get the same vlan, regardless of the SSID or AP Group.
03-22-2016 01:20 AM
thanks for your answer.
in our situation it doesn´t help us if one client always gets the same vlan, doesn´t matter where he is. every client within a special area (per floor) should get the same vlan. in another floor he should get a different one.
i know: in theory we could build up a database onm the radius server and dependent on the location the vlan is sent back. but this is a very complex solution i want to prevent. it is only "allowed" to solve the problem on WLC GUI/CLI ;-)
nevertheless this is an interesting solution, maybe useful for other approaches. which radius server are you using?
03-22-2016 01:42 AM
We use Radiator. The algorithm I mentioned is written in Perl.
You could write a similar algorithm to issue vlan numbers based on the access point's MAC address instead of the userid. The wireless controllers report this MAC to the Radius server in authentication requests.
03-22-2016 01:47 AM
we use the same radius-server.
as mentioned: this is too complex for us (due to lack of ressources). but i keep it in mind.
03-30-2016 06:37 AM
I went with using FlexConnect and aaa-override. Then our radius-server (NPS on Win2012r2) sends back the VLAN depending on which Active Directory group the user is located in. Works like a charm!
Example:
VLAN100 - Regular clients
VLAN200 - Special clients
SSID - CompanyX
Alice is a regular client and Bob is a special client.
Alice walks into the office and connects to SSID CompanyX, the radius-server checks the active directory and sees that Alice is a regular client due to the AD-group she belongs to and sends back vlan100 as a response and Alice gets to join vlan100. Later Bob walks into the office and also connects to SSID CompanyX, the radius-server sees that Bob is in the special AD-group and sends back vlan200. Bob gets put on vlan200.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: