How to dynamically assign a user to a VLAN depending on the AP location?

  • 0
  • 1
  • Question
  • Updated 10 months ago
  • Answered
  • (Edited)
Hi all,

my goal is to use same SSID and (dynamically) assign users to a VLAN depending on location.

I am looking into "Replace BSSID with Zone name" in RADIUS TLVs (RADIUS Access Request Message Options) but had no success making it work. I can see the proper "Called Station Identifier: Location x" in NPS Event Viewer though. Now I need to find a way to assign a proper VLAN to it at the AP ...

I followed procedure on but am missing something here ...

Setup: B@AP topology, EAP-TLS, NPS, NAC (RADIUS Proxy mode)

Photo of Dusan K.

Dusan K.

  • 476 Points 250 badge 2x thumb

Posted 10 months ago

  • 0
  • 1
Photo of Volker Kull

Volker Kull

  • 1,862 Points 1k badge 2x thumb
Hi Dusan!

you need :
- location groups with APs
- a rule on EWC for every VLAN you use (matching the rule you get from NAC via RADIUS !) with the configured VLAN topoogy
- a NAC aaa rule for every location using this EWC rules. Radius request will overwrite the default rule on EWC
- on EWC (Global/Authentication/RFC3580): choose: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes"
- VLANs tagged on AP wired port

try WLAN config without TLS and NPS ! Use NAC user store to prevent issues from NPS.

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,972 Points 20k badge 2x thumb
You'd take a look into this post to get some ideas how to troubleshoot the issue...
Photo of Dusan K.

Dusan K.

  • 476 Points 250 badge 2x thumb

found a working solution w/ EAC!

Client <--> EWC/B@AP <--> EAC (Radius Proxy) <--> NPS (EAP-TLS)

Here's my community contribution (based on Volker Kull's advice):

  1. VNS > Global > Authentication > RFC 3580 (ACCESS-ACCEPT) Options: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes"
  2. VNS > WLAN Service > Auth & Acct > RADIUS TLVs > Zone Support >
    RADIUS Request Called Station ID Options > Replace BSSID with Zone name
  3. AP > Edit selected AP > AP Properies > Zone: <Location_name>


Access Control >
  1. Group Editor > Location Group:
    + Add New Group (for each location): <Location_name>
       + Switches: "List"
       + <Enter EWC IP>
       + Interface: "Wireless"
       + AP ID: <Location_name>

  2. Access Control Profiles > Policy Mappings >
    + Add New: <Enter_name>
    + Map to Location: Select Location
    + Policy Role: "Enterprise Access"
    + VLAN [ID] Name: Add New: <VLAN ID> + <Name>
    + VLAN Egress: "Tagged"

  3. Access Control Profile
    + Add New (for each location)
    + Accept Policy: Select Policy Mapping (step #2)
    + Replace RADIUS Attributes with Accept Policy <checked>

  4. Access Control Configurations > Default
    + Add New Rule (for each location)
    + Authentication Rule: 802.1X (EAP-TLS)
    + Location Group: Select Location (step #1)
    + Profile: Select Access Control Profiles (step #2)

  5. Enforce
Policy >
  1. Roles/Services > Enterprise Access > Mappings
    + Add (Type: RFC3580) VLAN: <Location_VID> for each location

  2. Save Domain
  3. Enforce Domain (Ignore Errors)

Client is authenticated against NPS.
Policy (Role/VLAN mapping) is applied directly from EAC.
Role Enterprise Access is used as an example