How to create a single SSID with multiple vlans ?

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hi all,

I have deployed a Netsight server, a Extreme NAC server and a c5210 wireless controller.

On the Wireless controller side:
I created a WLAN service with authentication mode 802.1x which is using a single radius server (Extreme NAC IA-A-20) for auth & acct.

I also created a role with default action:
Access Control: containment VLAN
VLAN: vlan212 

Clicked Advanced >> Added vlan212, vlan300, vlan211 to be used. I have not defined any policy rules.

Then I defined a VNS to bind this WLAN service to this Role when user is authenticated.

On the NAC side:

I added the EWC to access control engine as "Extreme identiFi Wireless".

I created two policy roles. One of them is configured to contain to vlan211 and the other is configured to contain to vlan300.

Note
: when I try to enforce domain data to wireless controller, "cannot remove active Role -XXXX- from EWC ..." error occurs.

Then I have tested with two wireless clients. I can see that both clients are assigned to these different NAC profiles successfully. But they are assigned to same vlan212.  

Is it possible to assign clients with different NAC profiles to different Vlans on the same SSID ?

Thanks.
Photo of Yakup Erdol

Yakup Erdol

  • 590 Points 500 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Hi Yakup , 
You can assing different VLANs in one of this two methods :
- Sending different Policy which bounded to specific topology on the Wireless Controller (e.g. Policy1 on controller configured to "Contain to VLAN100" , Policy2 on controller configured to "Contain to VLAN200" . ) So based on some criteria , ExtremeNAC will send different Policy , then controller will assign different Topology (therefore VLAN) to the user
- Second method is using the same policy , but sending Tunneled Attributes . For doing that , change the "Extreme identiFi Wireless" (when you were adding switch to the NAC) to "RFC3580- VLANID & Extreme IdentiFi Wireless" , in this case together with FilterID (Policy name) the tunneled attributes will come to controller . 
Photo of Yakup Erdol

Yakup Erdol

  • 590 Points 500 badge 2x thumb
Hi Yury,

I am confused. Do you mean "WLAN service" by Topology ? If yes, how will EWC decide which 801.x authenticated user use which topology ? 

Thanks.
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
No , not WLAN service by topology . I meant Role (sometimes refered as Policy). NAC sending back the Filter-ID which is exactly matching the Role name configured on the controller. This role can be bounded to particular Topology (which is the VLAN for you).  
Photo of Yakup Erdol

Yakup Erdol

  • 590 Points 500 badge 2x thumb
I will try it tomorrow. Thanks again.
Photo of Yakup Erdol

Yakup Erdol

  • 590 Points 500 badge 2x thumb
Hi Yury, 

Firstly, I have to confess that I could not understand how to configure the first method on the wireless controller. Because as I know, a VNS can only bind a WLAN service to only two different Roles (non-authenticated / authenticated). 

Anyway, I tried my best and deleted all custom made CoS and Roles on the EWC, then enforced domain policies from Netsight successfully. Then I configured the VNS as below:



Then, I tested this configuration by connecting two different clients to the same SSID (test-8021x) simultaneously: one of the clients assigned to "Vlan211" and the other assigned to "Vlan311" which are not related to "NOT_Domain_PC" role. They are just assigned to Vlans that NAC sends as radius attributes :

Test client-1 Authentication session:





Test client-2 Authentication session:




I understand from this test that no matter what is chosen in the "Default Roles  >> Authenticated" field, clients are assigned according to radius attribute that NAC sends. 

Is it right ?

Thanks
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Technically, you don't need to do anything else on controller. You already pushing the Policies to controller. Whatever you define on controller as 'default action' does not matter since NAC will override it based on user authentication. That's why it called 'dynamic policy assignment'. Its the same way as dynamic VLAN assignment, just using different VSA attributes ( FilterID instead of tunneled attributes). But looks like you are on a right path.
Photo of Yakup Erdol

Yakup Erdol

  • 590 Points 500 badge 2x thumb
Thank you very much Yury. All these informations really helped me a lot. 
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,972 Points 20k badge 2x thumb
I strongly advice you to pay an Extreme Partner to do it for you / show you the basic functions during the installation.

Here a list for your country...
http://www.extremenetworks.com/partners/find-a-partner/location/Europe-Middle-East-Africa/TR/?show-p....

Or you'd attend the official training for wirless and NAC...
http://www.extremenetworks.com/education/courses/

BR,
Ron
Photo of Yakup Erdol

Yakup Erdol

  • 590 Points 500 badge 2x thumb
And why "cannot remove active Role -XXXX- from EWC ..." error occurs when enforcing the policy on Netsight ?
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
You are trying to use Policy from the ExtremeManagement . Most probably you already have some CoSes configured on the controller which prevent pushing the policies to . Clean up (just delete) all the custom made CoSes you have on controller , then you can try to push Policy again from ExtremeManagement. 
Photo of Yakup Erdol

Yakup Erdol

  • 590 Points 500 badge 2x thumb
Sorry again. Would you explain what "CoSes" is ?
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
On the VNS page of the wireless controller you have (from top to bottom) : Global , Sites, Virtual Networks, WLAN Sevices , Roles , Class of Service , Topologies . 
CoS is Class of Service . 
Roles and Class of Service can be configured right on the wireless controller , or on Extreme Management (in the Policy section) and pushed to the Wireless Controller . If you configure CoS first on wireless Controller , it will prevent ExtremeManagement to push and override it . Ideally if you start using Policy from ExtremeManagement , do not touch Roles and Class of Services on the controller - do all you changes on ExtremeManagement Policy instead. 
Photo of Yakup Erdol

Yakup Erdol

  • 590 Points 500 badge 2x thumb
I thought it was the plural form of "CoSe" :)

Thanks for the great explanation.