Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Dynamic VLAN Assignment with WLCs based on ISE to Active Directory Group Mapping Configuration Example

Available Languages

Download Options

  • PDF     (2.1 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.2 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (2.5 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:May 31, 2019
Document ID:99121

Introduction

This document introduces the concept of dynamic VLAN assignment. The document describes how to configure the wireless LAN controller (WLC) and ISE server to assign wireless LAN (WLAN) clients into a specific VLAN dynamically.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Have basic knowledge of Wireless LAN Controllers (WLCs) and Lightweight Access Points (LAPs)

  • Have functional knowledge of an Authentication,Authorization and Accounting (AAA) server such as Identity Services Engine (ISE)

  • Have thorough knowledge of wireless networks and wireless security issues.
  • Have functional and configurable knowledge on dynamic VLAN assignment
  • Have basic understanding of Microsoft Windows AD services, as well as domain controller and DNS concepts
  • Have basic knowledge of Control And Provisioning of Access Point protocol (CAPWAP)

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 5520 Series WLC that runs firmware release 8.8.111.0

  • Cisco 4800 Series AP

  • Native Windows supplicant and Anyconnect NAM.

  • Cisco Secure ISE version 2.3.0.298

  • Microsoft Windows 2016 Server configured as a domain controller

  • Cisco 3560-CX Series Switch that runs version 15.2(4)E1

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

  

Dynamic VLAN Assignment with RADIUS Server

In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations because it requires clients to associate with different SSIDs in order to inherit different QoS and security policies.

Cisco WLAN solution addresses that limitation by support of identity networking. That allows the network to advertise a single SSID, but allows specific users to inherit different QoS, VLAN attributes and/or security policies based on the user credential.

Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as Cisco ISE. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

Cisco ISE server authenticates wireless users against one of several possible databases, which includes its internal database, e.g:

  • Internal DB

  • Active directory

  • Generic Lightweight Directory Access Protocol (LDAP)

  • Open Database Connectivity (ODBC)-compliant relational databases

  • Rivest, Shamir, and Adelman (RSA) SecurID token servers

  • RADIUS-compliant token servers

Cisco ISE Authentication Protocols and Supported External Identity Sources list the various authentication protocols supported by ISE internal and external databases.

This document focuses on authenticating wireless users that use Windows Active direcory external database.

After successful authentication, ISE retrieves group information of that user from the Windows database and associates the user to the respective authorization profile.

When a client attempts to associate to a LAP registered with a controller, the LAP passes the credentials of the user to the WLC using the respective EAP method.

WLC sends those credentials to ISE using RADIUS protocol (encapsulating the EAP) and ISE passes credentials of users to AD for validation using KERBEROS protocol.

AD validates the user credentials and upon successful authentication, informs the ISE.

Once the authentication is successful, the ISE server passes certain Internet Engineering Task Force (IETF) attributes to WLC. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client. The SSID (WLAN, in terms of WLC) of the client does not matter because the user is always assigned to this predetermined VLAN ID.

The RADIUS user attributes used for the VLAN ID assignment are:

  • IETF 64 (Tunnel Type)Set this to VLAN.

  • IETF 65 (Tunnel Medium Type)Set this to 802

  • IETF 81 (Tunnel Private Group ID)Set this to VLAN ID.

The VLAN ID is 12-bits, and takes a value between 1 and 4094, inclusive. Because the Tunnel-Private- Group-ID is of type string, as defined in RFC2868 for use with IEEE 802.1X, the VLAN ID integer value is encoded as a string. When these tunnel attributes are sent, it is necessary to fill in the Tag field.

As noted in RFC 2868 , section 3.1: The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the Tag field is unused, it must be zero (0x00). Refer to RFC 2868 for more information on all RADIUS attributes.

Configure

  In this section, you are presented with the information to configure the features described in this document.

Network Diagram

Configurations

These are configuration details of the components used in this diagram:

  • IP address of the ISE (RADIUS) server is 10.48.39.128.

  • The Management and AP-manager Interface address of the WLC is 10.48.71.20.

  • DHCP server resides in LAN network and is configured for respective client pools; it is not shown on the diagram

  • VLAN1477 and VLAN1478 are used throughout this configuration. Users from Marketing department  are configured to be placed into the VLAN1477 and users from HR department  are configured to be placed into VLAN1478 by the RADIUS server when both users connect to the same SSID ― office_hq.

    VLAN1477: 192.168.77.0/24. Gateway: 192.168.77.1 VLAN1478: 192.168.78.0/24. Gateway: 192.168.78.1 

  • This document uses 802.1x with PEAP-mschapv2 as the security mechanism.

    Note: Cisco recommends that you use advanced authentication methods, such as EAP-FAST and EAP-TLS authentication, in order to secure the WLAN.

These assumptions are made before you perform this configuration:

  • The LAP is already registered with the WLC.

  • DHCP server is assigned a DHCP scope.

  • Layer 3 connectivity exists between all devices in the network.

  • The document discusses the configuration required on the wireless side and assumes that the wired network is in place.

  • Resepective users and groups are configured on AD.

In order to accomplish dynamic VLAN assignment with WLCs based on ISE to AD group mapping, these steps must be performed:

  1. ISE to AD integration and configuration of authentication and authorization policies for users on ISE
  2. WLC configuration to support dot1x authentication and AAA override for SSID 'office_hq'
  3. End client supplicant configuration

ISE to AD integration and configuration of authentication and authorization policies for users on ISE

  1. Login to ISE Web UI interface using admin account.
  2. Navigate under "Administration -> Identity management -> External Identity Sources -> Active directory"

  3. Click "Add" and enter the domain name and identity store name from the Active Directory Join Point Name settings. In the example below, we are registering ISE to the domain 'wlaaan.com' and Join point is specified as AD.wlaaan.com - locally significant name to ISE.
  4. A pop up window will open after "Submit" button is pressed asking us if we want to join ISE to AD immediatelly. Press "Yes" button and provide Active directory user credentials with admin rights to add new host to domain.
  5. After this point you should have ISE succesfully registered to AD.

    In case you have any issues with registration process, you may use "Diagnstic Tool" to run tests required for AD connectivity.
  6. We need to retrieve groups for active Directory that will be used to assign respective authorization profiles. Navigate under "Administration -> Identity management -> External Identity Sources -> Active directory -> <Your AD> -> Groups", thenk click the "Add" button and select "Select Groups from Active Directory".
  7. A new pop up window will open where you can either specify a filter to retreive specific group(s) or retrieve all groups from AD.
    Select the respective groups from the AD group list and press "OK"
  8. Respective Groups will be added to ISE and can be saved. Press "Save".
  9. Add WLC to ISE Network device list - navigate under "Administration -> Network Resources -> Network Devices" and press "Add".
    Complete configuration, by providing WLC management IP address and RADIUS shared secret between WLC and ISE.
  10. Now after we joined ISE to AD and added the WLC to device list we can start configuration of authentication and authorization policies for users.
    • Create an authorization profile to assign users from Marketing to VLAN1477 and from HR group to VLAN1478.
      Navigate under "Policy -> Policy Elements -> Results -> Authorization -> Authorization profiles" and click "Add" button to create new profile.
    • Complete authorization profile configuration with VLAN information for respective group; Example below shows "Marketing" group configuration settings.

      Similar configuration has to be done for other groups and respective VLAN tag attribute has to be configured.
    • After authorization profiles are configured, we can define authentication policies for wireless users. That can be done either by configuring "Custom" or modifying the  "Default" Policy set. In this example, we are modifying the "Default" policy set. Open "Policy -> Policy Sets -> Default". By default for dot1x authentication type ISE is going to use 'All_User_ID_Stores', although it will work even with current default settings, since "AD" is part of identity source list of All_User_ID_Stores, this example uses a more specific rule "WLC_lab" for that respective LAB controller and will use "AD" as only source for authentication.
    • Now we need to create authorization policies for users that will assign respective authorization profile based on group membership. Open "Authorization policy" section and create policies to accomplish that requirement.

WLC configuration to support dot1x authetnication and AAA override for SSID 'office_hq'

  1. Configure ISE as RADIUS authentication server on WLC, under "Security -> AAA -> RADIUS -> Authentication" section in web UI interface and provide the ISE IP address and shared secret information.


  2. Configure SSID office_hq under the "WLANs" section on the WLC; below example configures SSID with WPA2/AES+dot1x and AAA override. Interface "Dummy" is selected for the WLAN since the proper vlan will be assigned via RADIUS anyway. This dummy interface has to be created on the WLC and given an ip address, but the ip address does not have to be valid and the vlan in which it is put may not be created in the uplink switch, so that if no VLAN is being assigned the client cannot go anywhere.









  3. We also need to create dynamic interfaces on the WLC for user VLANs, under "Controller -> Interfaces" UI menu. The WLC can only honor the vlan assignment received via AAA if it has a dynamic interface in that vlan.

Verify

We will use Windows 10 native supplicant and Anyconnect NAM to test connections.

Since we are using EAP-PEAP authentication and ISE is using a Self-Signed Certificate (SSC)  we would need to agree to certificate warning or disable certificate validation. In a corportate environment, you should use a signed and trusted certificate on ISE and ensure that end user devices have the appropriate root certificate installed under Trusted CA list.

Test connection with Windows 10 and native supplicant.

  1. Open "Network & Internet settings -> Wi-Fi -> Manage known networks" and create new network profile by pressing "Add new network" buttonfill in required information.
  2. Check authentication log on ISE and ensure right profile is selected for user.
  3. Check client entry on WLC and ensure it's assigned to right VLAN and is in RUN state.
  4. From WLC CLI client status can be checked with "show client dertails <mac-address>":
     
    show client detail f4:8c:50:62:14:6b 
Client MAC Address............................... f4:8c:50:62:14:6b
Client Username ................................. Bob
Client Webauth Username ......................... N/A
Hostname: ....................................... 
Device Type: .................................... Intel-Device
AP MAC Address................................... 70:69:5a:51:4e:c0
AP Name.......................................... AP4C77.6D9E.6162  
AP radio slot Id................................. 1  
Client State..................................... Associated     
User Authenticated by ........................... RADIUS Server
Client User Group................................ Bob
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 3  
Wireless LAN Network Name (SSID)................. office_hq
Wireless LAN Profile Name........................ office_hq
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 242 secs
BSSID............................................ 70:69:5a:51:4e:cd  
Channel.......................................... 36 
IP Address....................................... 192.168.78.36
Gateway Address.................................. 192.168.78.1
Netmask.......................................... 255.255.255.0
...
Policy Manager State............................. RUN
...
EAP Type......................................... PEAP
Interface........................................ vlan1478
VLAN............................................. 1478
Quarantine VLAN.................................. 0
Access VLAN...................................... 1478

Test connection with Windows 10 and Anyconnect NAM.

  1. Select SSID from available SSIDs list and respective EAP authentication type (in this example PEAP) and inner authentication form
  2. Provide username and password for user authentication.
  3. Since ISE is sending to client an SSC we need to manually select to trust certificate (in production enviroment it's highly recommended to install trusted certificate on ISE).
  4. Check authentication logs on ISE and ensure the right authorization profile is selected for user.

  5. Check client entry on the WLC and ensure it's assigned to the right VLAN and is in RUN state.

  6. From WLC CLI client status can be checked with "show client dertails <mac-address>":
     
    Client MAC Address............................... f4:8c:50:62:14:6b
Client Username ................................. Alice
Client Webauth Username ......................... N/A
Hostname: ....................................... 
Device Type: .................................... Intel-Device
AP MAC Address................................... 70:69:5a:51:4e:c0
AP Name.......................................... AP4C77.6D9E.6162  
AP radio slot Id................................. 1  
Client State..................................... Associated     
User Authenticated by ........................... RADIUS Server
Client User Group................................ Alice
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 3  
Wireless LAN Network Name (SSID)................. office_hq
Wireless LAN Profile Name........................ office_hq
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 765 secs
BSSID............................................ 70:69:5a:51:4e:cd  
Channel.......................................... 36 
IP Address....................................... 192.168.77.32
Gateway Address.................................. 192.168.77.1
Netmask.......................................... 255.255.255.0
...
Policy Manager State............................. RUN
...
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP-128 (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ vlan1477
VLAN............................................. 1477

Troubleshoot

  1. Use "test aaa radius username <user> password <password> wlan-id <id>"  to test RADIUS connection between WLC and ISE and "test aaa show radius" to show the results. 
    test aaa radius username Alice password <removed> wlan-id 2

Radius Test Request
  Wlan-id........................................ 2
  ApGroup Name................................... none

  Attributes                      Values    
  ----------                      ------    
  User-Name                       Alice     
  Called-Station-Id               00-00-00-00-00-00:AndroidAP
  Calling-Station-Id              00-11-22-33-44-55
  Nas-Port                        0x00000001 (1)
  Nas-Ip-Address                  10.48.71.20
  NAS-Identifier                  0x6e6f (28271)
  Airespace / WLAN-Identifier     0x00000002 (2)
  User-Password                   cisco!123 
  Service-Type                    0x00000008 (8)
  Framed-MTU                      0x00000514 (1300)
  Nas-Port-Type                   0x00000013 (19)
  Cisco / Audit-Session-Id        1447300a0000003041d5665c
  Acct-Session-Id                 5c66d541/00:11:22:33:44:55/743



test radius auth request successfully sent. Execute 'test aaa show radius' for response

(Cisco Controller) >test aaa show radius 

Radius Test Request
  Wlan-id........................................ 2
  ApGroup Name................................... none
Radius Test Response

Radius Server            Retry Status
-------------            ----- ------
10.48.39.128             1     Success

Authentication Response:
  Result Code: Success

  Attributes                      Values    
  ----------                      ------    
  User-Name                       Alice     
  State                           ReauthSession:1447300a0000003041d5665c
  Class                           CACS:1447300a0000003041d5665c:rmanchur-ise/339603379/59
  Tunnel-Type                     0x0000000d (13)
  Tunnel-Medium-Type              0x00000006 (6)
  Tunnel-Group-Id                 0x000005c5 (1477)



(Cisco Controller) >
  2. Use "debug client <mac-address>" to troubleshoot wireless client connectivity issues.
  3. Use "debug aaa all enable" to troubleshoot authentication and authorization issues on WLC.
    Note: use this command only with 'debug mac addr <mac-address>' to limit output based on MAC address for which debugging is done!
  4.  Refer to ISE live logs and session logs to identify problems authentication failures and AD communication issues.
TAC Authored

Contributed by Cisco Engineers

  • Roman Manchur
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

This Document Applies to These Products

About Us
Contact Us
Work with Us