08-12-2013 04:30 PM
So I'm trying to setup dynamic Vlans on an employee wireless connection using IAP 105s with a Windows server 2008 Radius server backend. I want to be able to direct users to several different /24 vlans based off their groups in AD (or some other attribute). I am completely new to setting up Radius with VSAs. How do I add the VSA attributes and how do they connect through to the IAPs? Can this be done with a windows based radius server?
I already have the radius server authenticating users. That works perfectly, now I need it to tell the iaps which vlan users go on to.
Solved! Go to Solution.
08-12-2013 04:36 PM
If you click the edit button next to the network name, then go to the VLAN tab, change the Client VLAN Assignment to dynamic. You can then set up rules based on attributes coming back via RADIUS. This is similar to server-derived rules on the mobility controller side.
08-12-2013 04:42 PM - edited 08-12-2013 04:44 PM
For the Windows NPS server side, create multiple "Network Policies" for each type of user (each unique attribute). Order the rules with the most specific group membership at the top.
Set the condition of the policy to be the AD User Group. Then on the settings page, you can assign a standard RADIUS Filter-ID attribute which can be anything you want. You then take that filter-ID text and create the rule above ^.
08-12-2013 04:58 PM
If you want to bypass the attribute mapping piece in the virtual controller, you can configure NPS to return the VLAN value directly.
Instead of using the filter-ID attribute under "Standard" attributes, go to Vendor Specific > Add > Custom > Vendor Specific > Add:
Vendor Code: 14823
Yes It Conforms
Vendor-assigned attribute number: 2
Attribute format: Decimal
Attribute value: <vlan-id>
This will return the VLAN ID in the RADIUS response.
10-30-2014 04:58 PM
I am also trying to connect the client to different vlans depending on the domain groups. It allows us to restrict at the firewall for non-windows devices
The RADIUS config is pretty straightforward and it is set up, but I am unable to find the option to select dynamic vlans in the SSID config for my controller. Is that option specific to a OS version? or am I just looking in the wrong place
10-30-2014 05:02 PM - edited 10-30-2014 05:02 PM
The screenshot is from Instant, not a controller.
If you are't using the RADIUS VSAs to directly send a VLAN, you'll have to use filter-id with server derivation rules.
In your RADIUS server, return a "tag" (just descriptive text or number) for the VLAN using the filter-id attribute.
In your controller, go to Configuration > Authentication > Servers > Server Group, then click your server group. Now add a rule to match the condition. (See below)