05-05-2017 01:13 PM - edited 07-05-2021 06:58 AM
In our schools we have multiple vlans for staff and students which are filtered. We also have an unfiltered vlan for administrators. Currently we are using 2 ssids to select which vlan the user will be assigned.
ssid-01 [WPA + WPA2][Auth(PSK)] filtered access using interface groups to pool multiple vlans.
ssid-02 [WPA2][Auth(802.1X)]unfiltered access using a single vlan.
We would would like to have all staff and students use Auth 802.1x using a single ssid for everyone. For the filtered access (majority of clients) we will be pooling several vlans and for the unfiltered clients we will have 1 vlan. The vlan assignment will be based on the users Active Directory group.
Example:
Unfiltered vlans 202, 203 and 204
Filtered vlan 300
Radius will select vlan 202 for users in filtered group and vlan 300 for users in unfiltered group.
How do I configure the WLAN ssid so that it will use the pooled address for the filtered group and a single vlan for the unfiltered group using a single ssid?
05-05-2017 07:51 PM
Hi
In terms of ssid, you need to setup dot1x authentication, choose your radius server configured on the ssid security tab/aaa tab. On the advanced tab, you have to check aaa override and nac state as radius nac.
All the rest, I mean dynamic vlan assignment will be done on the radius server.
Check that post:
https://supportforums.cisco.com/discussion/13285176/multiple-vlans-assignment-cisco-ise14-single-ssid-over-local-mode-lwap
If you want to allow everyone on vlan 300, then you'll need to select the local layer 3 vlan 300 interface. Create also the interface vlan 202 globally..
Does that answer your question?
Thanks
PS: please don't forget to rate and mark as correct answer if this answered your question
05-08-2017 06:47 AM
In my original post the example was backwards corrected example is
Filtered vlans 202, 203 and 204...
Unfiltered vlan 300
Depending on the size of the school we will pool additional vlan's /23 for the filtered users. Only a few users will have the unfiltered access on vlan 300.
In the document https://supportforums.cisco.com/discussion/13290276/using-radius-determine-vlan-assignment it states The AAA override with interface group is not supported. If this is the case how will the pooling of vlan's be assigned for the filtered users?
05-08-2017 05:46 PM
Hi
AAA override with interface group is supported:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_0111110.html
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide