06-08-2022 07:18 AM
Hello, everyone!
I am using a standalone Cisco Wireless Controller 2504 with 50 APs. I am using a Radius Authentication Server (Windows server 2016). I have deployed 5 WLANs (5 SSIDs) with 802.1x and I am wondering if there is a way to just have one SSID and separate users by VLAN so the areas of the organization where I work have different restrictions and the users just see one SSID. Is that possible with my controller and what do I need to make it work? I know that the one I am using Its and old and EoS one.
Thank you
06-08-2022 07:27 AM
I think the work will done in radius Server,
each user will assign different VLAN.
06-08-2022 07:31 AM
Yes, part of the work is done in the Radius Server and NPS. Fourtunately I have found complete guides about that with another vendors. But no information with the 2504 Cisco Controller. I want to know if there is a guide or manual for what to do in my controller. Or any reference if that is possible. I have found some info but It need Cisco ISE.
06-08-2022 08:06 AM
Hi
With ISE is more common, with NPS I have no experience but, theorically should be possible as both will speak RADIUS protocol. On the WLC side, what you need to enable is "aaa override" on the WLAN.
For central switching the WLC need to have all vlans and for Local switching the switch must have all vlans.
06-08-2022 08:26 AM
Yes I have not found anyone who has done that and documented it. I believe It should work as you said both speak RADIUS. I will try the AAA override and let you know who is it going. Thank you for the answers.
06-08-2022 08:38 AM
06-08-2022 03:40 PM
It is called 802.1x and we've been using this for >5 years now.
We present one SSID and users log in and they get "shunted" into specific subnets based on their role.
06-09-2022 06:34 AM
Hello, I guess you want to configure dynamic vlan asignment with your WLC 2504 and a windows server, that is supported. The WLC is expecting to receiving the VLAN information from your windows server in the access accept of the client authentication, so on your windows server, you need to include these fields on the accept messages:
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802.
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
In the link below you can see the step by step configuration for Dynamic VLAN on windows NPS:
On the WLC side, you just need to add your windows server to the WLC's raidus list and enable AAA override on the WLAN as shown in the link below:
regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide