Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
8
Helpful
11
Replies

EAP type-based dynamic VLAN assignment for wireless client

Go to solution
Roman Yu
Level 1
Level 1

‎12-20-2024 11:09 AM

Hello everyone. I want to place a wireless user in one VLAN or another, depending on the type of authentication, EAP-TLS or PEAP. How do I do this in the wireless part of the network?

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎12-20-2024 11:27 AM

@Roman Yu 

 On the WLC the only configurarion required is "AAA overide" on the WLAN.  And create the appropriate vlans. All the rest is Radius job.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

 

View solution in original post

Go to solution
Flavio Miranda
VIP
VIP
In response to Roman Yu

‎12-20-2024 01:14 PM - edited ‎12-20-2024 01:21 PM

The WLC needs to know which vlan it will put the client. 

 

"Step 2. Configure the VLANs

This procedure explains how to configure VLANs on the Catalyst 9800 WLC. As explained earlier in this document, the VLAN ID specified under the Tunnel-Private-Group ID attribute of the RADIUS server must also exist in the WLC.

In the example, the user smith-102 is specified with the Tunnel-Private-Group ID of 102 (VLAN =102) on the RADIUS server."

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to Roman Yu

‎12-20-2024 01:17 PM - edited ‎12-20-2024 01:23 PM

Then add two policy set one for eap-tls and other for peap.

In these policy set use allow protocol to set eap-tls or peap. 

In authc and authz condition use match eap-tls or peap.

In authz use authz policy accept set attribute vlan value.

this example below how you can use PEAP as condition in authc and authz

https://sendthepayload.com/configuring-an-802-1x-wired-policy-using-peap-mschapv2-wo-mar/

MHM

View solution in original post

11 Replies 11

Go to solution
Flavio Miranda
VIP
VIP

‎12-20-2024 11:27 AM

@Roman Yu 

 On the WLC the only configurarion required is "AAA overide" on the WLAN.  And create the appropriate vlans. All the rest is Radius job.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

 

Go to solution
Roman Yu
Level 1
Level 1
In response to Flavio Miranda

‎12-20-2024 01:04 PM

Thank you Flavio!

But what interface or group of interfaces should I assign to this WLAN?

And why should we assign a specific VLAN?

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Roman Yu

‎12-20-2024 01:14 PM - edited ‎12-20-2024 01:21 PM

The WLC needs to know which vlan it will put the client. 

 

"Step 2. Configure the VLANs

This procedure explains how to configure VLANs on the Catalyst 9800 WLC. As explained earlier in this document, the VLAN ID specified under the Tunnel-Private-Group ID attribute of the RADIUS server must also exist in the WLC.

In the example, the user smith-102 is specified with the Tunnel-Private-Group ID of 102 (VLAN =102) on the RADIUS server."

Go to solution
MHM Cisco World
VIP
VIP

‎12-20-2024 11:51 AM

You use ISE?

MHM

0 Helpful

Go to solution
Roman Yu
Level 1
Level 1
In response to MHM Cisco World

‎12-20-2024 01:05 PM

Yes, we do.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Roman Yu

‎12-20-2024 01:17 PM - edited ‎12-20-2024 01:23 PM

Then add two policy set one for eap-tls and other for peap.

In these policy set use allow protocol to set eap-tls or peap. 

In authc and authz condition use match eap-tls or peap.

In authz use authz policy accept set attribute vlan value.

this example below how you can use PEAP as condition in authc and authz

https://sendthepayload.com/configuring-an-802-1x-wired-policy-using-peap-mschapv2-wo-mar/

MHM

Go to solution
Roman Yu
Level 1
Level 1

‎12-21-2024 08:01 AM

Colleagues, you were right. I've created profiles, policies, and etc. Assigned an interface group to the test WLAN. Everything works! It distributes clients to the required VLANs depending on EAP-TLS or PEAP. I like it!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Roman Yu

‎12-21-2024 08:06 AM

Did you match condition as I suggest?

MHM

0 Helpful

Go to solution
Roman Yu
Level 1
Level 1
In response to MHM Cisco World

‎12-21-2024 08:20 AM

On the test laptop, I found that it had fallen off the Active Directory domain and cannot pass machine authentication. But if I disable the machine's domain membership in the Authorization Policy, then this problematic laptop successfully connects to the network. I thought that EAP-TLS requires checking the machine first, then the user, and there is no way to change this protocol behavior.

0 Helpful

Go to solution
JPavonM
VIP
VIP
In response to Roman Yu

‎12-23-2024 02:56 AM

EAP-TLS authenticates whatever you setup oin the wireless profile.

For Windows, by default, it is machine authentication only, but if you change it to User OR Machine it will do Machine cert first on the login screen, and then it will re-authenitcate using the User cert after successful log in.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card