Assign VLAN by username

Unanswered Question
Jul 28th, 2008

I have 2 4404 WLCs with WCS. I have a WLAN set up to authenticate to a MS IAS Radius server. Users are authenticated using their Active Directory username. I want to set up multiple WLANs and restrict which user can connect to which WLAN, or I can also set up one WLAN but I want to assign an IP address or VLAN dependent on the username. Right now I have 2 WLANs set up using IAS for authentication. In IAS we set up 2 different profiles and each has a different AD group associated to it. Users in both groups can connect to either WLAN. I want particular users to be assigned IP addresses from a specific network. How can I separate this out so that multiple groups of users get different IP addresses?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dkleimbach Tue, 07/29/2008 - 05:57


Is there a way to do this with a Microsoft IAS Radius server?



cody.roche Tue, 07/29/2008 - 11:52


You should be able to do this, but you'll need to create the values by hand in IAS. These are the numbers that are next to the descriptions in ACS.

I haven't done exactly this configuration in IAS before, but I've passed some Cisco values for enable mode at login based on AD group membership. The concept is the same for what you are doing, just training IAS to respond with the right values based on certain requests.

Here is a good Microsoft KB article with some good references on how to build the custom attributes you'll need.

Here is a very good example of functional IAS configuration changes to allow login directly to enable mode to work correctly with IAS to get you started.

What you want are changes that are looking for requires modifications that are similar.

Combine that background information with the article that Rob pointed to and you should be able to get it working. It might take some trial and error and some debugging to get it right though.



This Discussion



Trending Topics - Security & Network