Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
3
Replies

Assign VLAN by username

dkleimbach
Level 1
Level 1

‎07-28-2008 02:14 PM - edited ‎07-03-2021 04:14 PM

I have 2 4404 WLCs with WCS. I have a WLAN set up to authenticate to a MS IAS Radius server. Users are authenticated using their Active Directory username. I want to set up multiple WLANs and restrict which user can connect to which WLAN, or I can also set up one WLAN but I want to assign an IP address or VLAN dependent on the username. Right now I have 2 WLANs set up using IAS for authentication. In IAS we set up 2 different profiles and each has a different AD group associated to it. Users in both groups can connect to either WLAN. I want particular users to be assigned IP addresses from a specific network. How can I separate this out so that multiple groups of users get different IP addresses?

Labels:
0 Helpful
3 Replies 3

Rob Huffman
Hall of Fame
Hall of Fame

‎07-29-2008 04:50 AM

Hi Deanna,

Have you looked into this WLC Feature;

Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

Hope this helps!

Rob

0 Helpful

dkleimbach
Level 1
Level 1
In response to Rob Huffman

‎07-29-2008 05:57 AM

Rob,

Is there a way to do this with a Microsoft IAS Radius server?

Thanks,

Deanna

0 Helpful

cody.roche
Level 1
Level 1
In response to dkleimbach

‎07-29-2008 11:52 AM

Deanna,

You should be able to do this, but you'll need to create the values by hand in IAS. These are the numbers that are next to the descriptions in ACS.

I haven't done exactly this configuration in IAS before, but I've passed some Cisco values for enable mode at login based on AD group membership. The concept is the same for what you are doing, just training IAS to respond with the right values based on certain requests.

Here is a good Microsoft KB article with some good references on how to build the custom attributes you'll need. http://support.microsoft.com/kb/283829

Here is a very good example of functional IAS configuration changes to allow login directly to enable mode to work correctly with IAS to get you started. http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/

What you want are changes that are looking for requires modifications that are similar.

Combine that background information with the article that Rob pointed to and you should be able to get it working. It might take some trial and error and some debugging to get it right though.

Cody

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card