11-13-2010 01:36 AM - edited 07-03-2021 07:24 PM
hi all,
I am using a cisco WLC 5508 with version 7 . I need to setup a wireless network with one SSID for different vlans . Setup has created with different AP Groups, its working fine. But the problem is that access points in different AP Groups are nearby , ie they can see each other . ie same wireless users are randomloy connectiing to different AP Groups ( ie different VLAN) . I need the same wireless user to associate to a particular VLAN at all the time. I used MAC filering locally , so that user MAC address is bind to only one dynamic interface ie VLAN . But still the same wireless users are randomly switching to different AP groups. Please give a soultion for this.
Regards
Dileep
11-13-2010 02:30 AM
hi,
AP groups is a way of doing "per geographical location-vlan assignement".
You say you want "per user vlan assignement". This is done through Radius. Have your users authenticate through radius (mac address or eap method) and assign them back a vlan.
Don't forget to enable AAA override on the WLAN for this to work.
Hope this helps.
Nicolas
===
Don't forget to rate answers that you find useful
11-13-2010 02:40 AM
hi ,
thanks for your quick relpy. ya , I understand your solution , for this we have to use 802.1x authentication for wireless users i am I right ? , but all the wireless users are domain users , whether 802.1x supports win AD SSO ? also 802.1x depends on client wireless Network Adaptors ? we are also doing NAC L2 OOB Virtual Gateway for wireless users which should support WIN AD SSO
Regards
Dileep
11-13-2010 03:52 AM
The windows default supplicant allows for SSO with dot1x without issue. Either with the machine account or the user account.
The checkbox on windows client is something like "use windows credentials".
This way it would be SSO but 2 authentications would happen (dot1x and NAC).
You can also totally skip the NAC authentication if you rely on the dot1x. Then you need to do "like" NAC VPN SSO where the WLC sends an accounting packet to the NAC to automatically authenticate the user. This would speed up the process a bit.
But I think it's better to go step by step and implement dot1x first ;-)
Nicolas
===
Don't forget to rate answers that you find useful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide