05-21-2019 03:20 AM - edited 07-05-2021 10:26 AM
We have approximately 20 companies that use a shared LAN and authenticate using wired 802.1x and are completely separated for security using Vlan’s / VRF’s.
This has worked very well. However, I now want to arrange for the clients for each company to use our wireless network (though not to use Guest Wi-Fi).
We currently use Cisco WLC 5520, Cisco ISE and Windows AD. In addition, we use Flex Connect at the site for local wireless breakout at the switch.
I’d like for our users at each company to authenticate using wireless 802.1x using our existing Cisco ISE & AD. The user is then required to be dynamically placed into their individual vlan for their company.
However, I know there are limitations with regards the number of SSID’s that can and should be used (I think the maximum number of SSID’s is 16 and that really, we shouldn’t go for more than 4).
Rather than having to create multiple SSID’s Ideally, I would want to deploy just 1 SSID for them all to use but then based on the users AD credentials (authenticated via AD and ISE) then I’d like to dynamically place the user in a Vlan dedicated for their company (similar to what we currently do with wired dot1x).
Does anyone know if this is possible and any idea how this can be done ?
05-21-2019 04:42 AM
05-21-2019 05:24 AM
thank you for your response.
So all 20 companies share the 1 same building, the same floors and can be sat next to each other.
Each company can currently access the wired network and are dynamically placed in their own vlan via wired dot1x.
I know that for a WLAN it is mapped to a wired Vlan. However I'd like to advertise just 1 SSID (WLAN) and dynamically map it to different vlan's depending on the partner following AD authentication.
I'm very conscious that if I have to use a large number of SSID's (ie 1 for each partner) then this will cause issues with interference and channel congestion.
Do you have any examples or can share a link of how it can be done ?
05-21-2019 06:12 AM
05-21-2019 06:44 AM
05-21-2019 04:13 PM
One option would be for a single 802.1x SSID where ISE does the splitting of the users to map to the correct VLAN, based on the user
Consideration you need to take into account is that you really need the same VLAN mappings at all sites, otherwise you will have issues.
Also At any given point, an AP has a maximum of 16 VLANs. This might be an issue, but if you don't require every VLAN per building this might work. This is regardless of the number of SSIDs.
Other option would be looking at changing the architecture of the wireless to local mode and dropping off out the back of the WLC which would mean you could have more than 16 interfaces mapped.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: