cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
673
Views
0
Helpful
5
Replies

Dynamic VLANs

ross.morrison
Level 1
Level 1

Is there any way to dynamically assign a vlan when a guest user associates with an AP.

Using Wireless lan controller.

I understand this is possible using ACS to assign the vlan dynamically but that requires a username and password to be input.

What I have in mind is for guest access but for each "guest" to be put into a seperate vlan without them having to configure any settings.

5 Replies 5

alinn
Cisco Employee
Cisco Employee

Hello Ross,

There is a solution called AP Group VLAN and this will put all clients on an APs in the group to be assigned to a certain vlan. Explained in detail here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml

But this requires two different sets of APs. Otherwise you will need to user the AAA Override feature ,which as you mentioned, requires a username/password.

Hope this helps.

Regards,

Aaron

Thanks Aaron.

Its not quite what we are looking for though.

We want each guest user to be put into their own seperate vlan, the first user would go in vlan11, user 2 would go in vlan12, user 3 would go in vlan 13 etc etc

Hi Ross,

You can configure something like AAA override where as per the user identity VLAN will be assigned via the Radius server.

For suppose your user with name XXX logs in , it will check the Radius server and if radius server is configured to return the intarface name it will return this as an attribute and if that interface is created on your controller mapped to some vlan your user XXX will be assigne dto that VLAN only.

Check this link for more details

http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40sol.htm#wp1124844

HTH

Ankur

Besides VLANs if all your looking for is LAN segmentation (guest user isolation) you can enable one VLAN to use the Public Secure Packet Forwarding under the VLAN services tab on your APs. Each client is then fully segmented. As per Cisco's doc's on the matter:

Public Secure Packet Forwarding

Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN.

No exchange of unicast, broadcast, or multicast traffic occurs between protected ports. Choose Enable so that the protected port can be used for secure mode configuration.

PSPF must be set per VLAN.

Note: To prevent communication between clients associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected.

/gjr

naveen_b81
Level 1
Level 1

You can create a VLAN, and map a SSID to that VLAN and disable authentication for it for guest users.

Review Cisco Networking for a $25 gift card