06-05-2014 03:33 AM - edited 03-10-2019 09:46 PM
Hi dears,
We want to configurate Some vlans(vlan2-accounting department,, vlan3-helpdeks,,vlan4-sales,vlan5-security,vlan6--Engineer) for wireless users but use only one SSID for example name Corparate. WLC authenticate with Cisco ISE devices for wireless users. In ISE use external database Active Directory(AD). When accounting department employees connect Corporate SSID the wlc or ise assign it appropriate vlan. How I configure this topology? please provide me any documentation.
06-27-2014 10:52 AM
These doc include how to configure ISE and WLC to communicate with each other .These docs specify how to integrate AD with ISE and will help you with authorization rule configuration. http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html.Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/71683-dynamicvlan-config.html let me know if you need configuration steps
11-14-2014 02:52 PM
It should work on Anchor as well, the client should take tagging and dhcp from it.
07-18-2014 01:21 AM
please make rules in authorization like
if ( wireless_802.1x) and ( Airspace Wlan ID EQUAL ssid_value ) AND (demoAD:ExternalGroups EQUALS demo.local/XXX/Groups/Staff) then staff_VLAN10
from the authorization results , you should have created one profile as staff_VLAN10 as below
09-12-2014 08:03 AM
Hi Salodh,
Your answer above is really helpful. But I would like to ask how the single SSID with multiple VLANs configured in WLC. Would you have to create separate dynamic interfaces for each VLAN, create an Interface group, then assign the SSID to the interface group or would you use the management interface and the switch does the vlan assignment based on the VLAN tag from the AAA override.
09-16-2014 06:09 AM
In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations because it requires clients to associate with different SSIDs in order to inherit different QoS and security policies.
However, the Cisco WLAN solution supports identity networking. This allows the network to advertise a single SSID, but allows specific users to inherit different QoS or security policies based on the user credential.
Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as CiscoSecure ACS. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.
09-16-2014 06:49 AM
Hi Monahak,
Thanks. I came across the link after my post. However, I know that dynamic vlan assignment was not supported in Anchor WLC setup. But do you know if it's now supported from WLC 7.6?
08-10-2016 12:01 AM
Hi,
Can you share the document here or how you done ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide