Controllerless Networks

So I'm trying to setup dynamic Vlans on an employee wireless connection using IAP 105s with a Windows server 2008 Radius server backend. I want to be able to direct users to several different /24 vlans based off their groups in AD (or some other attribute). I am completely new to setting up Radius with VSAs. How do I add the VSA attributes and how do they connect through to the IAPs? Can this be done with a windows based radius server?

I already have the radius server authenticating users. That works perfectly, now I need it to tell the iaps which vlan users go on to.

If you click the edit button next to the network name, then go to the VLAN tab, change the Client VLAN Assignment to dynamic. You can then set up rules based on attributes coming back via RADIUS. This is similar to server-derived rules on the mobility controller side.

For the Windows NPS server side, create multiple "Network Policies" for each type of user (each unique attribute). Order the rules with the most specific group membership at the top.

Set the condition of the policy to be the AD User Group. Then on the settings page, you can assign a standard RADIUS Filter-ID attribute which can be anything you want. You then take that filter-ID text and create the rule above ^.

If you want to bypass the attribute mapping piece in the virtual controller, you can configure NPS to return the VLAN value directly.

Instead of using the filter-ID attribute under "Standard" attributes, go to Vendor Specific > Add > Custom > Vendor Specific > Add:

Vendor Code: 14823

Yes It Conforms

Vendor-assigned attribute number: 2

Attribute format: Decimal
Attribute value: <vlan-id>

This will return the VLAN ID in the RADIUS response.

thanks! That is exactly what I was looking for. This worked perfectly.

Tim,

Is that option restricted to a specific version?

I have a 3600 controller running 6.3.1 (we still have AP65's) and I do not see that option

Mark

Which option?

lol, sorry.

I am also trying to connect the client to different vlans depending on the domain groups. It allows us to restrict at the firewall for non-windows devices

The RADIUS config is pretty straightforward and it is set up, but I am unable to find the option to select dynamic vlans in the SSID config for my controller. Is that option specific to a OS version? or am I just looking in the wrong place

Mark

The screenshot is from Instant, not a controller. 

If you are't using the RADIUS VSAs to directly send a VLAN, you'll have to use filter-id with server derivation rules.

In your RADIUS server, return a "tag" (just descriptive text or number) for the VLAN using the filter-id attribute.

In your controller, go to Configuration > Authentication >  Servers > Server Group, then click your server group.  Now add a rule to match the condition. (See below)

you sir are a genius!

That is exactly what I needed. We have the "Set role" defined and I never thought to check to see if other possibilities existed.

Thanks!

Mark

Hi Guys i have an issue with the dynamic vlans , which is :-

- i configured IAPs to authenticate form RADUIS Server , but i need the client to get IPs form the vlan which the RADUIS mapped it , so i set attribute with vlans , but the max was 9 attributes .

- is there a limitation for the attributes ?

- i need to config at least 400 attributes for 400 Vlans , any advice ?

but it doesnt accept more than 9 lines Victor do you why ?

the Customer is divding the companies into 400 small workshops ;)