Cisco Support Community
Community Member

Dynamic VLANs

Is there any way to dynamically assign a vlan when a guest user associates with an AP.

Using Wireless lan controller.

I understand this is possible using ACS to assign the vlan dynamically but that requires a username and password to be input.

What I have in mind is for guest access but for each "guest" to be put into a seperate vlan without them having to configure any settings.

Cisco Employee

Re: Dynamic VLANs

Hello Ross,

There is a solution called AP Group VLAN and this will put all clients on an APs in the group to be assigned to a certain vlan. Explained in detail here:

But this requires two different sets of APs. Otherwise you will need to user the AAA Override feature ,which as you mentioned, requires a username/password.

Hope this helps.



Community Member

Re: Dynamic VLANs

Thanks Aaron.

Its not quite what we are looking for though.

We want each guest user to be put into their own seperate vlan, the first user would go in vlan11, user 2 would go in vlan12, user 3 would go in vlan 13 etc etc

Cisco Employee

Re: Dynamic VLANs

Hi Ross,

You can configure something like AAA override where as per the user identity VLAN will be assigned via the Radius server.

For suppose your user with name XXX logs in , it will check the Radius server and if radius server is configured to return the intarface name it will return this as an attribute and if that interface is created on your controller mapped to some vlan your user XXX will be assigne dto that VLAN only.

Check this link for more details



Community Member

Re: Dynamic VLANs

Besides VLANs if all your looking for is LAN segmentation (guest user isolation) you can enable one VLAN to use the Public Secure Packet Forwarding under the VLAN services tab on your APs. Each client is then fully segmented. As per Cisco's doc's on the matter:

Public Secure Packet Forwarding

Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN.

No exchange of unicast, broadcast, or multicast traffic occurs between protected ports. Choose Enable so that the protected port can be used for secure mode configuration.

PSPF must be set per VLAN.

Note: To prevent communication between clients associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected.


Community Member

Re: Dynamic VLANs

You can create a VLAN, and map a SSID to that VLAN and disable authentication for it for guest users.

CreatePlease to create content