Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Wireless Dynamic Vlan Assignment

HI, I was wondering if someone could help with the following please:

I have the following wireless setup:

Dual 5508 WLCs in data centre (Primary/Secondary), 2600 AP's deployed over several sites operating in flexconnect mode with local switching and centralsied authentication to AD via and ACS 5.1 (also loacted in data centre) using PEAP (user not machine). At all existing sites, static vlans have been applied to the access points so that once users have been authentiacted they drop into the defined vlan.

However, we have a new site which will be multi tenanted where multiple users from differeent domains will be connecting to the same AP infrastructure.   These users need to be dropped into different vlans.  Therefore the current configuration described above will not scale.  As such I have ammdened the existing ACS configuration so that any users that connect from the specified directory groups from these domains are allocted radius attributes that place them into the correct vlan - dynamic vlan assignment.  In addition, if any users from other sites visit the new site they are dropped into the deafult vlan assigned to the AP as with the existing flexconnect configuration.

However ( and here is the problem I am facing) when a user from this new site goes to one of the other existing sites and authenticates they are still being allocated the radius attributes for the vlan of their home site and as these vlans do not exist on the site LAN that they are visiting, this results in no network connectivity question is how do I have a policy on ACS that supports my multi tenant environment site but also allows these users to visit other sites and use the default vlan assinged to the APs.


Hall of Fame Super Silver

Wireless Dynamic Vlan Assignment

This is doable is your user group can be mapped to the same vlan ID per site or else it gets too crazy.  You can define location and network device group in your radius policies along with AD group or internal group logins.  It's hard to tell you what you need to do, because there is not enough info on how a user is getting their vlan assignments.  There are a lot of radius attributes you can use to get this to work.



Help out other by using the rating system and marking answered questions as "Answered"

*** Please rate helpful posts ***
CreatePlease to create content