Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
6
Replies

NPS

Pedro Kei
Level 1
Level 1

‎02-20-2025 10:41 AM

We have the following wireless VLANS in the company.

Main Office

VLAN 20- Sales
VLAN 30 - Managers
VLAN 40 - Other Staff

Branch Offices

VLAN 40 Other Staff
VLAN 50 - Warehouse

We have a main office and 4 branch offices. The sales staff mostly work in the Head Office but some times do go to Branch offices. When the Sales staff is in the Head Office, I would like them to always connect to VLAN 20 but when travelling to Branch Offices, I want them connecting to VLAN 40 but not when they are at the Head Office. I am planning to authenticate wireless users using Windows NPS and I am trying to see if there is a way to do this using Tunnel-Pvt-Group-ID where Sales is assigned to VLAN 20 while at Head Office and VLAN 40 while at Branch offices.

Labels:
0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎02-20-2025 11:28 AM - edited ‎02-20-2025 11:30 AM

You best bet is to look at the logs when they connect in the main office and see what variables are available to use.  That way you can differentiate between the main office and the branch office.  Of course there is more setup required because you have to send the vlans back and validate that its working. There are some good Windows NPS docs, blogs and videos that folks have done way back when.  That is were I would start... I stoped using NPS a very long time ago.

https://mikepembo.wordpress.com/2016/11/07/dynamic-vlan-assignment-cisco-and-nps/

-Scott
*** Please rate helpful posts ***
0 Helpful

Pedro Kei
Level 1
Level 1
In response to Scott Fella

‎02-20-2025 02:19 PM

I don't think this answers or points me in the direction I want to go.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Pedro Kei

‎02-20-2025 05:01 PM - edited ‎02-20-2025 05:05 PM

You are using NPS, correct?  If you want to be able to have one controller and dictate what SSID is mapped to what vlan, then you need to look at dynamic vlan.  Unless you have a controller in each site, then you just set the SSID to the vlan you want.

Keep in mind, you never mentioned what equipment you have and your design.

-Scott
*** Please rate helpful posts ***
0 Helpful

Pedro Kei
Level 1
Level 1
In response to Scott Fella

‎02-21-2025 09:32 AM

Let me add a few details for more clarity. We are using Meraki APs in all the locations. Doing MAC based authentication on a single SSID and the NPS Radius server is set up and working good. My only dilemma is the situation I stated above. Is there a way to resolve that?

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Pedro Kei

‎02-21-2025 08:04 PM

Since you are using Meraki, what I can say is you can create templates for each site where an SSID is mapped to a vlan.  If you want to use dynamic vlans, then you need to look at this:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/VLAN_Profiles

-Scott
*** Please rate helpful posts ***
0 Helpful

Pedro Kei
Level 1
Level 1

‎02-20-2025 02:07 PM

I dont think this answers or points me in the direction I want to go.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card