In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
Any input/information would be greatly appreciated.
The setup works fine with MS IAS server. You have to set the RADIUS options (3 of them) that are documented in the similar ACS article of the same ilk. You can have a single SSID, using RADIUS auth, and have Active Directory determine vlan membership based on group.
The RADIUS attribute settings are
Tunnel-Type = Vlan
Tunnel-Pvt-Group-ID = vlanid
Tunnel-Medium-Type = 802
I also like to set
Ignore-User-Dialin-Properties = True
You need to create some Policies in IAS to match your windows groups, and set the correct vlan id. A seperate IAS policy per vlan.
Set the RADIUS attributes per IAS policy and per AD group or however you plan on determining membership.
If you want to use RADIUS for administration, you also have to define a seperate policy that sets RADIUS attribute Service-Type = Administrative