Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

urgent: WLC - One SSID different VLANs using AP Groups

hi all,

I am using a cisco WLC 5508 with version 7 . I  need to setup a wireless network with one SSID for different vlans . Setup has created with different AP Groups, its working fine. But the problem is that access points in different AP Groups are nearby , ie they can see each other . ie same wireless users are randomloy connectiing to different AP Groups ( ie different  VLAN) . I need the same wireless user to associate to a particular VLAN at all the time. I used MAC filering locally , so that user MAC address is bind to only one dynamic interface ie VLAN . But still the same wireless users are randomly switching to different AP groups. Please give a soultion for this.

Regards

Dileep

Everyone's tags (1)
3 REPLIES
Cisco Employee

Re: urgent: WLC - One SSID different VLANs using AP Groups

hi,

AP groups is a way of doing "per geographical location-vlan assignement".

You say you want "per user vlan assignement". This is done through Radius. Have your users authenticate through radius (mac address or eap method) and assign them back a vlan.

Don't forget to enable AAA override on the WLAN for this to work.

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

New Member

Re: urgent: WLC - One SSID different VLANs using AP Groups

hi ,

thanks for your quick relpy. ya , I understand your solution , for this we have to use 802.1x authentication for wireless users i am I right ? , but all the wireless users are domain users , whether 802.1x supports win AD SSO ? also 802.1x depends on client wireless Network Adaptors ? we are  also doing NAC L2 OOB Virtual Gateway for wireless users which should support WIN AD SSO

Regards

Dileep

Cisco Employee

Re: urgent: WLC - One SSID different VLANs using AP Groups

The windows default supplicant allows for SSO with dot1x without issue. Either with the machine account or the user account.

The checkbox on windows client is something like "use windows credentials".

This way it would be SSO but 2 authentications would happen (dot1x and NAC).

You can also totally skip the NAC authentication if you rely on the dot1x. Then you need to do "like" NAC VPN SSO where the WLC sends an accounting packet to the NAC to automatically authenticate the user. This would speed up the process a bit.

But I think it's better to go step by step and implement dot1x first ;-)

Nicolas

===

Don't forget to rate answers that you find useful

1444
Views
0
Helpful
3
Replies
CreatePlease login to create content