Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

single SSID with multiple vlans in cisco WLAN


Hi Experts,

We implemented a WLAN in corporate office using a Cisco 2500 WLCs and Cisco 1600 APs.  Also we have two remote sites where we are using Cisco 1600AP connected to corporate WLC in flex connect mode.

currently we have three different SSIDs in three sites by using AP group, i.e corporate office all APs are grouped to one SSID, for other two remote sites Aps are grouped to respective SSID using central Authentication and local switching mode.  

Now customer wants to have a single SSID across all sites with multiple vlans depends on their user group i.e like managers, engineers and guest,  these clients should use local vlans for traffic once it is authenticated. 

please find the example in the below,

For example:

SSID: Cisco123

corporate office:

Management group: vlan 30

Engineer group: vlan 31

Guest: vlan 32 

Remote site1: 

Management group: vlan 40

Engineer group: vlan 41

Guest: vlan 42 

Remote site2: 

Management group: vlan 50

Engineer group: vlan 51

Guest: vlan 52 


Is it possible with Cisco 2500WLC to implement the above requirement. please do the needful.





Everyone's tags (1)
VIP Purple

Is this a dot1X SSID ? If so

Is this a dot1X SSID ? If so you can use aaa-override feature to assign vlan to user based on their AD-group.



**** Pls rate all useful responses ****

Community Member

Hi Rasika,Thanks for your

Hi Rasika,

Thanks for your response. If dot1x SSID support to our requirement we will go for it.

Also I want you to clarify one thing in the above requirement i.e All group users moves from one site to other site and these users should get local vlans for traffic with respect to site.

For example:

If a management user is in corporate office then should get vlan30 IP address for traffic (corporate office local vlan) ,

 If the same user moves to Remote office1 then it should get vlan40 IP address(Remote office1 local vlan) for traffic,

If the same user moves to Remote office2 then it should get vlan50 IP address (Remote office2 local vlan) for traffic.

So could you please check and let us know if this requirement is supported in dot1x SSID.



Hi,As Rasika mentioned you


As Rasika mentioned you can use aaa-override feature to accomplish your task.

Regarding your example you can do it by creating multiple rules based on your conditions you described.

Keep in mind that you need a AAA server for this like ACS or ISE.

Hope this helps,


Community Member

ISE is definitely the way to

ISE is definitely the way to go on this.


Hi,Please go through the


Please go through the below same post.

Community Member

Re: Hi,Please go through the WLC and ISE for multiple vlans and single ssid


i am not able to find in link for WLC and ISE for multiple vlans and single SSID

i am not able to achieve the this


i have below vlans

Student-BYOD 122 GEP-STD-FDN-WLN 510
Student-BYOD 124 GEP-STD-YR1-WLN 510
Student-BYOD 126 GEP-STD-YR2-WLN 510
Student-BYOD 128 GEP-STD-YR3-WLN 510
Student-BYOD 130 GEP-STD-YR4-WLN 510
Student-BYOD 132 GEP-STD-YR5-WLN 510
Student-BYOD 134 GEP-STD-YR6-WLN 510
Student-BYOD 136 GEP-STD-YR7-WLN 510
Student-BYOD 138 GEP-STD-YR8-WLN 510
Student-BYOD 140 GEP-STD-YR9-WLN 510
Student-BYOD 142 GEP-STD-YR10-WLN 510
Student-BYOD 144 GEP-STD-YR11-WLN 510
Student-BYOD 146 GEP-STD-YR12-WLN 510
Student-BYOD 148 GEP-STD-YR13-WLN 510
Staff-BYOD 150 GEP-STF-BYD-WLN 510
Guests / Parents 152 GEP-GST-GEN-WLN 254

now i need to map all student vlan in single ssid plz guide

WLC and ISE have reachability and also AD integration with  ISE is done

Re: Hi,Please go through the WLC and ISE for multiple vlans and single ssid

You could now create per VLAN an AD group. Into each of those AD groups you add 1/10th or less of the students, each student into one group.
On the ISE you make a Authorization Policy where you, depending on the AD group, assign a VLAN configuration.
In my case this looks (for just one VLAN on ISE 2.3) like this:


Now you can just add one more line per VLAN to this Authorization Policy. Please note, my images is for PEAP-EAP-TLS, but you can of course use it without TLS.

Btw. I'm running a /21 wireless network without any issues, so you might want to create bigger subnets, to ease this configuration.

CreatePlease to create content