Hi Monahak, Thanks. I came

teymur azimov · ‎06-05-2014

Hi dears,

We want to configurate Some vlans(vlan2-accounting department,, vlan3-helpdeks,,vlan4-sales,vlan5-security,vlan6--Engineer) for wireless users but use only one SSID for example name Corparate. WLC authenticate with Cisco ISE devices for wireless users. In ISE use external database Active Directory(AD). When accounting department employees connect Corporate SSID the wlc or ise assign it appropriate vlan. How I configure this topology? please provide me any documentation.

Venkatesh Attuluri · ‎06-27-2014

These doc include how to configure ISE and WLC to communicate with each other .These docs specify how to integrate AD with ISE and will help you with authorization rule configuration. http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html.Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/71683-dynamicvlan-config.html let me know if you need configuration steps

Saurav Lodh · ‎11-14-2014

It should work on Anchor as well, the client should take tagging and dhcp from it.

Saurav Lodh · ‎07-18-2014

please make rules in authorization like

if ( wireless_802.1x) and ( Airspace Wlan ID EQUAL ssid_value ) AND (demoAD:ExternalGroups EQUALS demo.local/XXX/Groups/Staff) then staff_VLAN10

from the authorization results , you should have created one profile as staff_VLAN10 as below

grabonlee · ‎09-12-2014

Hi Salodh,

Your answer above is really helpful. But I would like to ask how the single SSID with multiple VLANs configured in WLC. Would you have to create separate dynamic interfaces for each VLAN, create an Interface group, then assign the SSID to the interface group or would you use the management interface and the switch does the vlan assignment based on the VLAN tag from the AAA override.

mohanak · ‎09-16-2014

In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations because it requires clients to associate with different SSIDs in order to inherit different QoS and security policies.

However, the Cisco WLAN solution supports identity networking. This allows the network to advertise a single SSID, but allows specific users to inherit different QoS or security policies based on the user credential.

Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as CiscoSecure ACS. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/71683-dynamicvlan-config.html

grabonlee · ‎09-16-2014

Hi Monahak,

Thanks. I came across the link after my post. However, I know that dynamic vlan assignment was not supported in Anchor WLC setup. But do you know if it's now supported from WLC 7.6?

muhsi_2015 · ‎08-10-2016

Hi,

Can you share the document here or how you done ?

Thanks

Cisco ISE Vlan assigment