Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
15
Helpful
7
Replies

Wireless controller - Single SSID with multiple VLANs

H1HumJG
Level 1
Level 1

‎06-08-2022 07:18 AM

Hello, everyone!

 

I am using a standalone Cisco Wireless Controller 2504 with 50 APs. I am using a Radius Authentication Server (Windows server 2016). I have deployed 5 WLANs (5 SSIDs) with 802.1x and I am wondering if there is a way to just have one SSID and separate users by VLAN so the areas of the organization where I work have different restrictions and the users just see one SSID. Is that possible with my controller and what do I need to make it work? I know that the one I am using Its and old and EoS one.

 

Thank you   

Labels:
7 Replies 7

MHM Cisco World
VIP
VIP

‎06-08-2022 07:27 AM

I think the work will done in radius Server, 
each user will assign different VLAN.

0 Helpful

H1HumJG
Level 1
Level 1
In response to MHM Cisco World

‎06-08-2022 07:31 AM

Yes, part of the work is done in the Radius Server and NPS. Fourtunately I have found complete guides about that with another vendors. But no information with the 2504 Cisco Controller. I want to know if there is a guide or manual for what to do in my controller. Or any reference if that is possible. I have found some info but It need Cisco ISE.

Flavio Miranda
VIP
VIP

‎06-08-2022 08:06 AM

Hi

  With ISE is more common, with NPS I have no experience but, theorically should be possible as both will speak RADIUS protocol. On the WLC side, what you need to enable is "aaa override" on the WLAN.

For central switching the WLC need to have all vlans and for Local switching the switch must have all vlans.

0 Helpful

H1HumJG
Level 1
Level 1
In response to Flavio Miranda

‎06-08-2022 08:26 AM

Yes I have not found anyone who has done that and documented it. I believe It should work as you said both speak RADIUS. I will try the AAA override and let you know who is it going. Thank you for the answers.

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-08-2022 03:40 PM

It is called 802.1x and we've been using this for >5 years now.

We present one SSID and users log in and they get "shunted" into specific subnets based on their role.

0 Helpful

jonathga94
Level 1
Level 1

‎06-09-2022 06:34 AM

Hello, I guess you want to configure dynamic vlan asignment with your WLC 2504 and a windows server, that is supported. The WLC is expecting to receiving the VLAN information from your windows server in the access accept of the client authentication, so on your windows server, you need to include these fields on the accept messages:

IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802.
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.

In the link below you can see the step by step configuration for Dynamic VLAN on windows NPS:

https://www.expertnetworkconsultant.com/configuring/ieee-802-1x-authentication-and-dynamic-vlan-assignment-with-nps-radius-server/

On the WLC side, you just need to add your windows server to the WLC's raidus list and enable AAA override on the WLAN as shown in the link below:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99121-vlan-acs-ad-config.html#anc11

regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card