×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Wireless Dynamic Vlan Assignment

Unanswered Question
Jan 24th, 2014
User Badges:

HI, I was wondering if someone could help with the following please:


I have the following wireless setup:


Dual 5508 WLCs in data centre (Primary/Secondary), 2600 AP's deployed over several sites operating in flexconnect mode with local switching and centralsied authentication to AD via and ACS 5.1 (also loacted in data centre) using PEAP (user not machine). At all existing sites, static vlans have been applied to the access points so that once users have been authentiacted they drop into the defined vlan.


However, we have a new site which will be multi tenanted where multiple users from differeent domains will be connecting to the same AP infrastructure.   These users need to be dropped into different vlans.  Therefore the current configuration described above will not scale.  As such I have ammdened the existing ACS configuration so that any users that connect from the specified directory groups from these domains are allocted radius attributes that place them into the correct vlan - dynamic vlan assignment.  In addition, if any users from other sites visit the new site they are dropped into the deafult vlan assigned to the AP as with the existing flexconnect configuration.


However ( and here is the problem I am facing) when a user from this new site goes to one of the other existing sites and authenticates they are still being allocated the radius attributes for the vlan of their home site and as these vlans do not exist on the site LAN that they are visiting, this results in no network connectivity


So....my question is how do I have a policy on ACS that supports my multi tenant environment site but also allows these users to visit other sites and use the default vlan assinged to the APs.


Thanks                    

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Fri, 01/24/2014 - 12:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

This is doable is your user group can be mapped to the same vlan ID per site or else it gets too crazy.  You can define location and network device group in your radius policies along with AD group or internal group logins.  It's hard to tell you what you need to do, because there is not enough info on how a user is getting their vlan assignments.  There are a lot of radius attributes you can use to get this to work.


Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Actions

This Discussion

 

 

Trending Topics - Security & Network