Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
3
Replies

Dynamic VLAN running from WLC9800 (No ISE) - with Freeradius

eeebbunee
Level 3
Level 3

‎11-13-2025 01:58 PM

Hello Professionals,

I'm testing multiple VLANs running from 1 SSID on my lab and there's what I'm currently stuck. If you could provide me an idea, it would very appreciate. Here's my lab.

- WLC9800
 SSID: Corp (WPA2/3 Enterprise - 802.1X, 802.1X+SHA256) - AAA: RADIUS
 Profile to be tagged: ???
 
- RADIUS 
 (Freeradius 3.0) EAPTLS configured 
 Two certificates = ACCT_USER, HR_USER issued
 Radius decide VLAN information per client's certificates.  

# ACCT USER VLAN 50
acct_user Auth-Type := EAP
acct_user Tunnel-Type := VLAN
acct_user Tunnel-Medium-Type := IEEE-802
acct_user Tunnel-Private-Group-ID := "50"

# HR USER VLAN 90
hr_user Auth-Type := EAP
hr_user Tunnel-Type := VLAN
hr_user Tunnel-Medium-Type := IEEE-802
hr_user Tunnel-Private-Group-ID := "90"

- Goal: Accounting/HR employees are connecting to 'Corp' wifi, but they will get different IP subnet. (1 SSID, Dynamic VLAN)
  - Accounting team IP after connected Corp: 10.10.50.0/24
  - HR team IP after connected Corp: 10.10.90.0/24

In order to meet my goal, which profile I need to configure? 
If I'm right, SSID: Corp surely needs two VLANs with two different DHCP server IPs. 

Thank you for your time.

Labels:
0 Helpful
3 Replies 3

Mark Elsen
Hall of Fame
Hall of Fame

‎11-14-2025 12:12 AM

 

    - @eeebbunee   Checkout : https://www.reddit.com/r/networking/comments/qmxp9d/cisco_wlc_9800_coa_vlan_assignment_from_freeradius/

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

srimal99
Level 1
Level 1

‎11-27-2025 12:49 AM

Personally have not worked with Freeradius, but is there an option to define the authorization policy to define users and set configure override policy for vlan 90 (HR).Similar to link below 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html#:~:text=Contents,have%20knowledge%20of%20these%20topics:

What is configure on the switch vlan where aps are connecting.

0 Helpful

srimal99
Level 1
Level 1

‎11-27-2025 01:05 AM

Have you consider configuring vxlan for new set up with Spine and leafe architecture.Have you raise a tac case with Cisco ?
If interested see link below:
https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/118978-config-vxlan-00.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card