topic RE: How to create a single SSID with multiple vlans ? in ExtremeCloud IQ- Site Engine Management Center

How to create a single SSID with multiple vlans ?

Yakup_Erdol — Wed, 13 Sep 2017 19:51:00 GMT

Hi all,

I have deployed a Netsight server, a Extreme NAC server and a c5210 wireless controller.

On the Wireless controller side:
I created a WLAN service with authentication mode 802.1x which is using a single radius server (Extreme NAC IA-A-20) for auth & acct.

I also created a role with default action:
Access Control: containment VLAN
VLAN: vlan212

Clicked Advanced >> Added vlan212, vlan300, vlan211 to be used. I have not defined any policy rules.

Then I defined a VNS to bind this WLAN service to this Role when user is authenticated.

On the NAC side:

I added the EWC to access control engine as "Extreme identiFi Wireless".

I created two policy roles. One of them is configured to contain to vlan211 and the other is configured to contain to vlan300.

Note: when I try to enforce domain data to wireless controller, "cannot remove active Role -XXXX- from EWC ..." error occurs.

Then I have tested with two wireless clients. I can see that both clients are assigned to these different NAC profiles successfully. But they are assigned to same vlan212.

Is it possible to assign clients with different NAC profiles to different Vlans on the same SSID ?

Thanks.

RE: How to create a single SSID with multiple vlans ?

Ostrovsky__Yury — Wed, 13 Sep 2017 20:14:00 GMT

Hi Yakup ,
You can assing different VLANs in one of this two methods :
- Sending different Policy which bounded to specific topology on the Wireless Controller (e.g. Policy1 on controller configured to "Contain to VLAN100" , Policy2 on controller configured to "Contain to VLAN200" . ) So based on some criteria , ExtremeNAC will send different Policy , then controller will assign different Topology (therefore VLAN) to the user
- Second method is using the same policy , but sending Tunneled Attributes . For doing that , change the "Extreme identiFi Wireless" (when you were adding switch to the NAC) to "RFC3580- VLANID & Extreme IdentiFi Wireless" , in this case together with FilterID (Policy name) the tunneled attributes will come to controller .

RE: How to create a single SSID with multiple vlans ?

Yakup_Erdol — Wed, 13 Sep 2017 20:30:00 GMT

Hi Yury,

I am confused. Do you mean "WLAN service" by Topology ? If yes, how will EWC decide which 801.x authenticated user use which topology ?

Thanks.

RE: How to create a single SSID with multiple vlans ?

Ostrovsky__Yury — Wed, 13 Sep 2017 20:30:00 GMT

No , not WLAN service by topology . I meant Role (sometimes refered as Policy). NAC sending back the Filter-ID which is exactly matching the Role name configured on the controller. This role can be bounded to particular Topology (which is the VLAN for you).

RE: How to create a single SSID with multiple vlans ?

Yakup_Erdol — Wed, 13 Sep 2017 20:30:00 GMT

I will try it tomorrow. Thanks again.

RE: How to create a single SSID with multiple vlans ?

Yakup_Erdol — Wed, 13 Sep 2017 20:30:00 GMT

Hi Yury,

Firstly, I have to confess that I could not understand how to configure the first method on the wireless controller. Because as I know, a VNS can only bind a WLAN service to only two different Roles (non-authenticated / authenticated).

Anyway, I tried my best and deleted all custom made CoS and Roles on the EWC, then enforced domain policies from Netsight successfully. Then I configured the VNS as below:

Then, I tested this configuration by connecting two different clients to the same SSID (test-8021x) simultaneously: one of the clients assigned to "Vlan211" and the other assigned to "Vlan311" which are not related to "NOT_Domain_PC" role. They are just assigned to Vlans that NAC sends as radius attributes :

Test client-1 Authentication session:

Test client-2 Authentication session:

I understand from this test that no matter what is chosen in the "Default Roles >> Authenticated" field, clients are assigned according to radius attribute that NAC sends.

Is it right ?

Thanks

RE: How to create a single SSID with multiple vlans ?

Ostrovsky__Yury — Wed, 13 Sep 2017 20:30:00 GMT

Technically, you don't need to do anything else on controller. You already pushing the Policies to controller. Whatever you define on controller as 'default action' does not matter since NAC will override it based on user authentication. That's why it called 'dynamic policy assignment'. Its the same way as dynamic VLAN assignment, just using different VSA attributes ( FilterID instead of tunneled attributes). But looks like you are on a right path.

RE: How to create a single SSID with multiple vlans ?

Yakup_Erdol — Wed, 13 Sep 2017 20:30:00 GMT

Thank you very much Yury. All these informations really helped me a lot.

RE: How to create a single SSID with multiple vlans ?

Yakup_Erdol — Wed, 13 Sep 2017 20:33:00 GMT

And why "cannot remove active Role -XXXX- from EWC ..." error occurs when enforcing the policy on Netsight ?

RE: How to create a single SSID with multiple vlans ?

Ronald_Dvorak — Wed, 13 Sep 2017 20:33:00 GMT

I strongly advice you to pay an Extreme Partner to do it for you / show you the basic functions during the installation.

Here a list for your country...
http://www.extremenetworks.com/partners/find-a-partner/location/Europe-Middle-East-Africa/TR/?show-p....

Or you'd attend the official training for wirless and NAC...
http://www.extremenetworks.com/education/courses/

BR,
Ron

RE: How to create a single SSID with multiple vlans ?

Ostrovsky__Yury — Wed, 13 Sep 2017 20:33:00 GMT

You are trying to use Policy from the ExtremeManagement . Most probably you already have some CoSes configured on the controller which prevent pushing the policies to . Clean up (just delete) all the custom made CoSes you have on controller , then you can try to push Policy again from ExtremeManagement.

RE: How to create a single SSID with multiple vlans ?

Yakup_Erdol — Wed, 13 Sep 2017 20:33:00 GMT

Sorry again. Would you explain what "CoSes" is ?

RE: How to create a single SSID with multiple vlans ?

Ostrovsky__Yury — Wed, 13 Sep 2017 20:33:00 GMT

On the VNS page of the wireless controller you have (from top to bottom) : Global , Sites, Virtual Networks, WLAN Sevices , Roles , Class of Service , Topologies .
CoS is Class of Service .
Roles and Class of Service can be configured right on the wireless controller , or on Extreme Management (in the Policy section) and pushed to the Wireless Controller . If you configure CoS first on wireless Controller , it will prevent ExtremeManagement to push and override it . Ideally if you start using Policy from ExtremeManagement , do not touch Roles and Class of Services on the controller - do all you changes on ExtremeManagement Policy instead.

RE: How to create a single SSID with multiple vlans ?

Yakup_Erdol — Wed, 13 Sep 2017 20:33:00 GMT

I thought it was the plural form of "CoSe" 🙂

Thanks for the great explanation.