Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1770
Views
0
Helpful
3
Replies

urgent: WLC - One SSID different VLANs using AP Groups

pranavam_dileep
Level 1
Level 1

‎11-13-2010 01:36 AM - edited ‎07-03-2021 07:24 PM

hi all,

I am using a cisco WLC 5508 with version 7 . I  need to setup a wireless network with one SSID for different vlans . Setup has created with different AP Groups, its working fine. But the problem is that access points in different AP Groups are nearby , ie they can see each other . ie same wireless users are randomloy connectiing to different AP Groups ( ie different  VLAN) . I need the same wireless user to associate to a particular VLAN at all the time. I used MAC filering locally , so that user MAC address is bind to only one dynamic interface ie VLAN . But still the same wireless users are randomly switching to different AP groups. Please give a soultion for this.

Regards

Dileep

Labels:
0 Helpful
3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-13-2010 02:30 AM

hi,

AP groups is a way of doing "per geographical location-vlan assignement".

You say you want "per user vlan assignement". This is done through Radius. Have your users authenticate through radius (mac address or eap method) and assign them back a vlan.

Don't forget to enable AAA override on the WLAN for this to work.

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

0 Helpful

pranavam_dileep
Level 1
Level 1
In response to Nicolas Darchis

‎11-13-2010 02:40 AM

hi ,

thanks for your quick relpy. ya , I understand your solution , for this we have to use 802.1x authentication for wireless users i am I right ? , but all the wireless users are domain users , whether 802.1x supports win AD SSO ? also 802.1x depends on client wireless Network Adaptors ? we are  also doing NAC L2 OOB Virtual Gateway for wireless users which should support WIN AD SSO

Regards

Dileep

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to pranavam_dileep

‎11-13-2010 03:52 AM

The windows default supplicant allows for SSO with dot1x without issue. Either with the machine account or the user account.

The checkbox on windows client is something like "use windows credentials".

This way it would be SSO but 2 authentications would happen (dot1x and NAC).

You can also totally skip the NAC authentication if you rely on the dot1x. Then you need to do "like" NAC VPN SSO where the WLC sends an accounting packet to the NAC to automatically authenticate the user. This would speed up the process a bit.

But I think it's better to go step by step and implement dot1x first ;-)

Nicolas

===

Don't forget to rate answers that you find useful

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card