Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
0
Helpful
3
Replies

Using Radius to determine vlan assignment

rattebery1
Level 1
Level 1

‎05-05-2017 01:13 PM - edited ‎07-05-2021 06:58 AM

In our schools we have multiple vlans for staff and students which are filtered.  We also have an unfiltered vlan for administrators.  Currently we are using 2 ssids to select which vlan the user will be assigned.

ssid-01 [WPA + WPA2][Auth(PSK)] filtered access using interface groups to pool multiple vlans.

ssid-02 [WPA2][Auth(802.1X)]unfiltered access using a single vlan.

We would would like to have all staff and students use Auth 802.1x using a single ssid for everyone.  For the filtered access (majority of clients) we will be pooling several vlans and for the unfiltered clients we will have 1 vlan.  The vlan assignment will be based on the users Active Directory group.  

Example:

Unfiltered vlans 202, 203 and 204

Filtered vlan 300

Radius will select vlan 202 for users in filtered group and vlan 300 for users in unfiltered group.

How do I configure the WLAN ssid so that it will use the pooled address for the filtered group and a single vlan for the unfiltered group using a single ssid?

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎05-05-2017 07:51 PM

Hi 

In terms of ssid, you need to setup dot1x authentication, choose your radius server configured on the ssid security tab/aaa tab. On the advanced tab, you have to check aaa override and nac state as radius nac.

All the rest, I mean dynamic vlan assignment will be done on the radius server. 

Check that post: 

https://supportforums.cisco.com/discussion/13285176/multiple-vlans-assignment-cisco-ise14-single-ssid-over-local-mode-lwap

If you want to allow everyone on vlan 300, then you'll need to select the local layer 3 vlan 300 interface. Create also the interface vlan 202  globally.. 

Does that answer your question?

Thanks 

PS: please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

rattebery1
Level 1
Level 1

‎05-08-2017 06:47 AM

In my original post the example was backwards corrected example is

Filtered vlans 202, 203 and 204...

Unfiltered vlan 300

Depending on the size of the school we will pool additional vlan's /23 for the filtered users.  Only a few users will have the unfiltered access on vlan 300.

In the document https://supportforums.cisco.com/discussion/13290276/using-radius-determine-vlan-assignment it states The AAA override with interface group is not supported.  If this is the case how will the pooling of vlan's be assigned for the filtered users?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to rattebery1

‎05-08-2017 05:46 PM

Hi 

AAA override with interface group is supported: 

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_0111110.html

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card