Solved: Is it possible to allocate dynamic VLANs on a per-user basis in an EWC environment?

Translator · ‎10-05-2025

In the C9100 series EWC environment, I would like to dynamically assign a VLAN to each user (group) registered with the Radius server (Windows NPS). In the verification environment, VLAN information, etc. are passed from Radius to EWC in AVP, but client communication is not assigned to the specified VLAN. There were some examples in WLC9800, but can the setting work without problems in EWC?

Translator · ‎10-06-2025

Although it has been some time since the time of the inquiry, the information will be described as reference.

(1) It is better to check how the AVP (Attribute Value Pair) that the NPS of the Windows Server is trying to pass.
The following is the information of the AVP when specifying VLAN ID: 123 in the Authorization Profile for Dynamic VLAN in Cisco ISE.

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:123
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6

(2) Since the EWC is running on the FlexConnect Local Switching, the VLAN definition on the wireless AP side must be performed on the Flex Profile.
(In the Cisco IOS-XE system, there is a vlan command, but it is the VLAN tab of the Flex Profile that defines the VLAN on the wireless AP side.) )
If the VLAN does not exist, you will see errors related to VLAN allocation failure in the log.

(3) You also need to enable AAA Override in Policy Profile to allow VLAN ID override.

Regarding the setting of Dynamic VLAN, the following is a reference in the Japanese translation document.

Configuring Dynamic VLAN Allocation Using ISE and Catalyst 9800 Wireless LAN Controllers - Cisco
https://www.cisco.com/c/ja_jp/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

Also, I would like to add a link to the video of Mr. Minoura.

[Cisco ISE Capture Series] Dynamic VLAN - Wireless LAN (FlexConnect) [CCIE 5] - YouTube
https://www.youtube.com/watch?v=WlsMEU-8Mmw

View solution in original post

balaji.bandi · ‎10-05-2025

check the docs for Limitation :

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-744299.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rich R · ‎10-06-2025

The example used here https://www.cisco.com/c/en/us/products/collateral/wireless/embedded-wireless-controller-catalyst-access-points/white-paper-c11-743398.html is using VLAN override so it should work. The guide in the previous reply is for EWC on Catalyst Switch.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Translator · ‎10-06-2025

Although it has been some time since the time of the inquiry, the information will be described as reference.

(1) It is better to check how the AVP (Attribute Value Pair) that the NPS of the Windows Server is trying to pass.
The following is the information of the AVP when specifying VLAN ID: 123 in the Authorization Profile for Dynamic VLAN in Cisco ISE.

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:123
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6

(2) Since the EWC is running on the FlexConnect Local Switching, the VLAN definition on the wireless AP side must be performed on the Flex Profile.
(In the Cisco IOS-XE system, there is a vlan command, but it is the VLAN tab of the Flex Profile that defines the VLAN on the wireless AP side.) )
If the VLAN does not exist, you will see errors related to VLAN allocation failure in the log.

(3) You also need to enable AAA Override in Policy Profile to allow VLAN ID override.

Regarding the setting of Dynamic VLAN, the following is a reference in the Japanese translation document.

Configuring Dynamic VLAN Allocation Using ISE and Catalyst 9800 Wireless LAN Controllers - Cisco
https://www.cisco.com/c/ja_jp/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

Also, I would like to add a link to the video of Mr. Minoura.

[Cisco ISE Capture Series] Dynamic VLAN - Wireless LAN (FlexConnect) [CCIE 5] - YouTube
https://www.youtube.com/watch?v=WlsMEU-8Mmw

srimal99 · ‎10-07-2025

Old community post about Winodws NPS dynamic vlan assignment
https://community.cisco.com/t5/wireless/dynamic-vlan-assignment-with-mobilityexpress-in-windows-radius/td-p/4117266