One SSID with multiple VLANS

gcook0001 · ‎08-05-2022

I am trying to setup a single SSID with multiple VLANS but I can't seem to be able to get it to work. I have no issue with a single SSID with a single vlan.

I am running 5 AP2802I access points with one running Mobility Express. Everything is on the latest software version. 8.10.151.0

I am using Server 2019 NPS for authentication

Profile Name: test

SSID: test

Admin State: enabled

Radius Compatibility: Cisco ACS

Security Type: WPA2Enterprise

Ahuthentication Server: External Radius

Client IP Management: Network

Native VLAN ID: 300

Use VLAN Tagging: No (I have also used yes here)

DHCP Scope: None

VLAN ID: 290

VLAN Name: manag VLAN ID: 300

VLAN Name: Guest VLAN ID: 307

VLAN Name: Corp VLAN ID: 290

VLAN Name: IT VLAN ID: 291

Allow AAA Override: no (I have also tried enabling this)

Switch - CS3850

template WIRELESS-ACCESS-POINTS
switchport trunk native vlan 300
switchport trunk allowed vlan 290,291,300,307
switchport mode trunk
!

Inter g1/0/1

source template WIRELESS-ACCESS-POINTS

interface Vlan290

ip address 172.50.50.1 255.255.255.0

interface Vlan291
ip address 172.10.10.10 255.255.255.224
ip helper-address 172.50.50.19
ip helper-address 172.50.50.20

NPS Server

Tunnel-Medium-Type: 802

Tunnel-Private-Group-ID: 291

Tunnel-Type: Virtual LANs (VLAN)

I know the authentication is working as I can connect and it is using the correct Network Policy. The issue is that it always defaults to vlan 290 unless I specifically enter 291 as the vlan for the WLAN. I am not sure what I am doing wrong or missing. The goal is to have one SSID with 8 VLANs, one for each department.

Rasika Nayanajith · ‎08-05-2022

You have to enable "AAA override" and then write a policy on NPS to return the correct VLAN depending on the group of users.

HTH
Rasika
*** Pls rate all useful responses ***

gcook0001 · ‎08-15-2022

I have AAA override enabled. I also have the settings mentioned above on the NPS server.

NPS Server

Tunnel-Medium-Type: 802

Tunnel-Private-Group-ID: 291

Tunnel-Type: Virtual LANs (VLAN)

The settings are made in the NPS Network Policy that I am using for testing. When I check the logs I do see that I am using the correct policy. Also, I am using computer certificates for authentication if that makes a difference.

Rich R · ‎08-06-2022

Exactly as @Rasika Nayanajith - you need a method for assigning a user to a VLAN and that is done via radiusAAA override.
Also note that current latest is in fact 8.10.171.0 which is what TAC recommends as per
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc12

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

gcook0001 · ‎08-30-2022

Does anyone have a solution for this? I have gone over and over the how-tos on this and nothing works.

Rich R · ‎08-30-2022

It definitely works so
1. Debug to understand why yours isn't working. Try https://cway.cisco.com/wireless-debug-analyzer/

2. Make whatever changes are required to resolve the issues you find in the debug.

Your radius packets might be missing something else causing the WLC to ignore them. They require certain essential fields to uniquely identify the client.

Check your WLC config with https://cway.cisco.com/wireless-config-analyzer/

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs