Header Only - DO NOT REMOVE - Extreme Networks

How to dynamically assign a user to a VLAN depending on the AP location?

Userlevel 1
Hi all,

my goal is to use same SSID and (dynamically) assign users to a VLAN depending on location.

I am looking into "Replace BSSID with Zone name" in RADIUS TLVs (RADIUS Access Request Message Options) but had no success making it work. I can see the proper "Called Station Identifier: Location x" in NPS Event Viewer though. Now I need to find a way to assign a proper VLAN to it at the AP ...

I followed procedure on https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-add-assign-the-user-based-on-his-location but am missing something here ...

Setup: B@AP topology, EAP-TLS, NPS, NAC (RADIUS Proxy mode)


3 replies

Userlevel 4
Hi Dusan!

you need :
- location groups with APs
- a rule on EWC for every VLAN you use (matching the rule you get from NAC via RADIUS !) with the configured VLAN topoogy
- a NAC aaa rule for every location using this EWC rules. Radius request will overwrite the default rule on EWC
- on EWC (Global/Authentication/RFC3580): choose: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes"
- VLANs tagged on AP wired port

try WLAN config without TLS and NPS ! Use NAC user store to prevent issues from NPS.

Userlevel 7
You'd take a look into this post to get some ideas how to troubleshoot the issue...

Userlevel 1

found a working solution w/ EAC!

Client <--> EWC/B@AP <--> EAC (Radius Proxy) <--> NPS (EAP-TLS)

Here's my community contribution (based on Volker Kull's advice):

    VNS > Global > Authentication > RFC 3580 (ACCESS-ACCEPT) Options: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes" VNS > WLAN Service > Auth & Acct > RADIUS TLVs > Zone Support > RADIUS Request Called Station ID Options > Replace BSSID with Zone name AP > Edit selected AP > AP Properies > Zone:

Access Control >
    Group Editor > Location Group: + Add New Group (for each location): <Location_name> + Switches: "List" + + Interface: "Wireless" + AP ID: <Location_name> Access Control Profiles > Policy Mappings > + Add New: + Map to Location: Select Location + Policy Role: "Enterprise Access" + VLAN [id] Name: Add New: <VLAN ID> + <Name> + VLAN Egress: "Tagged" Access Control Profile + Add New (for each location) + Accept Policy: Select Policy Mapping (step #2) + Replace RADIUS Attributes with Accept Policy Access Control Configurations > Default + Add New Rule (for each location) + Authentication Rule: 802.1X (EAP-TLS) + Location Group: Select Location (step #1) + Profile: Select Access Control Profiles (step #2) Enforce
Policy >
    Roles/Services > Enterprise Access > Mappings + Add (Type: RFC3580) VLAN: <Location_VID> for each location Save Domain Enforce Domain (Ignore Errors)
Client is authenticated against NPS.
Policy (Role/VLAN mapping) is applied directly from EAC.
Role Enterprise Access is used as an example