This document introduces the concept of dynamic VLAN assignment. The document describes how to configure the wireless LAN controller (WLC) and ISE server to assign wireless LAN (WLAN) clients into a specific VLAN dynamically.
Ensure that you meet these requirements before you attempt this configuration:
Have basic knowledge of Wireless LAN Controllers (WLCs) and Lightweight Access Points (LAPs)
Have functional knowledge of an Authentication,Authorization and Accounting (AAA) server such as Identity Services Engine (ISE)
The information in this document is based on these software and hardware versions:
Cisco 5520 Series WLC that runs firmware release 8.8.111.0
Cisco 4800 Series AP
Native Windows supplicant and Anyconnect NAM.
Cisco Secure ISE version 2.3.0.298
Microsoft Windows 2016 Server configured as a domain controller
Cisco 3560-CX Series Switch that runs version 15.2(4)E1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations because it requires clients to associate with different SSIDs in order to inherit different QoS and security policies.
Cisco WLAN solution addresses that limitation by support of identity networking. That allows the network to advertise a single SSID, but allows specific users to inherit different QoS, VLAN attributes and/or security policies based on the user credential.
Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as Cisco ISE. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.
Cisco ISE server authenticates wireless users against one of several possible databases, which includes its internal database, e.g:
Active directory
Generic Lightweight Directory Access Protocol (LDAP)
Open Database Connectivity (ODBC)-compliant relational databases
Rivest, Shamir, and Adelman (RSA) SecurID token servers
RADIUS-compliant token servers
Cisco ISE Authentication Protocols and Supported External Identity Sources list the various authentication protocols supported by ISE internal and external databases.
This document focuses on authenticating wireless users that use Windows Active direcory external database.
After successful authentication, ISE retrieves group information of that user from the Windows database and associates the user to the respective authorization profile.
When a client attempts to associate to a LAP registered with a controller, the LAP passes the credentials of the user to the WLC using the respective EAP method.
WLC sends those credentials to ISE using RADIUS protocol (encapsulating the EAP) and ISE passes credentials of users to AD for validation using KERBEROS protocol.
AD validates the user credentials and upon successful authentication, informs the ISE.
Once the authentication is successful, the ISE server passes certain Internet Engineering Task Force (IETF) attributes to WLC. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client. The SSID (WLAN, in terms of WLC) of the client does not matter because the user is always assigned to this predetermined VLAN ID.
The RADIUS user attributes used for the VLAN ID assignment are:
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
The VLAN ID is 12-bits, and takes a value between 1 and 4094, inclusive. Because the Tunnel-Private- Group-ID is of type string, as defined in RFC2868 for use with IEEE 802.1X, the VLAN ID integer value is encoded as a string. When these tunnel attributes are sent, it is necessary to fill in the Tag field.
As noted in RFC 2868 , section 3.1: The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the Tag field is unused, it must be zero (0x00). Refer to RFC 2868 for more information on all RADIUS attributes.
In this section, you are presented with the information to configure the features described in this document.
These are configuration details of the components used in this diagram:
IP address of the ISE (RADIUS) server is 10.48.39.128.
The Management and AP-manager Interface address of the WLC is 10.48.71.20.
DHCP server resides in LAN network and is configured for respective client pools; it is not shown on the diagram
VLAN1477 and VLAN1478 are used throughout this configuration. Users from Marketing department are configured to be placed into the VLAN1477 and users from HR department are configured to be placed into VLAN1478 by the RADIUS server when both users connect to the same SSID ― office_hq.
VLAN1477: 192.168.77.0/24. Gateway: 192.168.77.1 VLAN1478: 192.168.78.0/24. Gateway: 192.168.78.1
This document uses 802.1x with PEAP-mschapv2 as the security mechanism.
Note: Cisco recommends that you use advanced authentication methods, such as EAP-FAST and EAP-TLS authentication, in order to secure the WLAN.
These assumptions are made before you perform this configuration:
The LAP is already registered with the WLC.
DHCP server is assigned a DHCP scope.
The document discusses the configuration required on the wireless side and assumes that the wired network is in place.
In order to accomplish dynamic VLAN assignment with WLCs based on ISE to AD group mapping, these steps must be performed:
We will use Windows 10 native supplicant and Anyconnect NAM to test connections.
Since we are using EAP-PEAP authentication and ISE is using a Self-Signed Certificate (SSC) we would need to agree to certificate warning or disable certificate validation. In a corportate environment, you should use a signed and trusted certificate on ISE and ensure that end user devices have the appropriate root certificate installed under Trusted CA list.
Test connection with Windows 10 and native supplicant.
show client detail f4:8c:50:62:14:6b Client MAC Address............................... f4:8c:50:62:14:6b Client Username ................................. Bob Client Webauth Username ......................... N/A Hostname: ....................................... Device Type: .................................... Intel-Device AP MAC Address................................... 70:69:5a:51:4e:c0 AP Name.......................................... AP4C77.6D9E.6162 AP radio slot Id................................. 1 Client State..................................... Associated User Authenticated by ........................... RADIUS Server Client User Group................................ Bob Client NAC OOB State............................. Access Wireless LAN Id.................................. 3 Wireless LAN Network Name (SSID)................. office_hq Wireless LAN Profile Name........................ office_hq Hotspot (802.11u)................................ Not Supported Connected For ................................... 242 secs BSSID............................................ 70:69:5a:51:4e:cd Channel.......................................... 36 IP Address....................................... 192.168.78.36 Gateway Address.................................. 192.168.78.1 Netmask.......................................... 255.255.255.0 ... Policy Manager State............................. RUN ... EAP Type......................................... PEAP Interface........................................ vlan1478 VLAN............................................. 1478 Quarantine VLAN.................................. 0 Access VLAN...................................... 1478
Test connection with Windows 10 and Anyconnect NAM.
Client MAC Address............................... f4:8c:50:62:14:6b Client Username ................................. Alice Client Webauth Username ......................... N/A Hostname: ....................................... Device Type: .................................... Intel-Device AP MAC Address................................... 70:69:5a:51:4e:c0 AP Name.......................................... AP4C77.6D9E.6162 AP radio slot Id................................. 1 Client State..................................... Associated User Authenticated by ........................... RADIUS Server Client User Group................................ Alice Client NAC OOB State............................. Access Wireless LAN Id.................................. 3 Wireless LAN Network Name (SSID)................. office_hq Wireless LAN Profile Name........................ office_hq Hotspot (802.11u)................................ Not Supported Connected For ................................... 765 secs BSSID............................................ 70:69:5a:51:4e:cd Channel.......................................... 36 IP Address....................................... 192.168.77.32 Gateway Address.................................. 192.168.77.1 Netmask.......................................... 255.255.255.0 ... Policy Manager State............................. RUN ... Policy Type...................................... WPA2 Authentication Key Management.................... 802.1x Encryption Cipher................................ CCMP-128 (AES) Protected Management Frame ...................... No Management Frame Protection...................... No EAP Type......................................... PEAP Interface........................................ vlan1477 VLAN............................................. 1477
test aaa radius username Alice password <removed> wlan-id 2 Radius Test Request Wlan-id........................................ 2 ApGroup Name................................... none Attributes Values ---------- ------ User-Name Alice Called-Station-Id 00-00-00-00-00-00:AndroidAP Calling-Station-Id 00-11-22-33-44-55 Nas-Port 0x00000001 (1) Nas-Ip-Address 10.48.71.20 NAS-Identifier 0x6e6f (28271) Airespace / WLAN-Identifier 0x00000002 (2) User-Password cisco!123 Service-Type 0x00000008 (8) Framed-MTU 0x00000514 (1300) Nas-Port-Type 0x00000013 (19) Cisco / Audit-Session-Id 1447300a0000003041d5665c Acct-Session-Id 5c66d541/00:11:22:33:44:55/743 test radius auth request successfully sent. Execute 'test aaa show radius' for response (Cisco Controller) >test aaa show radius Radius Test Request Wlan-id........................................ 2 ApGroup Name................................... none Radius Test Response Radius Server Retry Status ------------- ----- ------ 10.48.39.128 1 Success Authentication Response: Result Code: Success Attributes Values ---------- ------ User-Name Alice State ReauthSession:1447300a0000003041d5665c Class CACS:1447300a0000003041d5665c:rmanchur-ise/339603379/59 Tunnel-Type 0x0000000d (13) Tunnel-Medium-Type 0x00000006 (6) Tunnel-Group-Id 0x000005c5 (1477) (Cisco Controller) >