https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42252#M3187 <P>Hi all,<BR /><BR />my goal is to use same SSID and (dynamically) assign users to a VLAN depending on location.<BR /><BR />I am looking into "Replace BSSID with Zone name" in RADIUS TLVs (RADIUS Access Request Message Options) but had no success making it work. I can see the proper "Called Station Identifier: Location x" in NPS Event Viewer though. Now I need to find a way to assign a proper VLAN to it at the AP ...<BR /><BR />I followed procedure on <A href="https://extremeportal.force.com/ExtrArticleDetail?an=000082506" target="_blank" rel="nofollow noreferrer noopener">https://extremeportal.force.com/ExtrArticleDetail?an=000082506</A> but am missing something here ...<BR /><BR />Setup: B@AP topology, EAP-TLS, NPS, NAC (RADIUS Proxy mode)<BR /><BR />Thanks!</P> Tue, 05 Dec 2017 14:25:00 GMT Dusan_K_ 2017-12-05T14:25:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42252#M3187 <P>Hi all,<BR /><BR />my goal is to use same SSID and (dynamically) assign users to a VLAN depending on location.<BR /><BR />I am looking into "Replace BSSID with Zone name" in RADIUS TLVs (RADIUS Access Request Message Options) but had no success making it work. I can see the proper "Called Station Identifier: Location x" in NPS Event Viewer though. Now I need to find a way to assign a proper VLAN to it at the AP ...<BR /><BR />I followed procedure on <A href="https://extremeportal.force.com/ExtrArticleDetail?an=000082506" target="_blank" rel="nofollow noreferrer noopener">https://extremeportal.force.com/ExtrArticleDetail?an=000082506</A> but am missing something here ...<BR /><BR />Setup: B@AP topology, EAP-TLS, NPS, NAC (RADIUS Proxy mode)<BR /><BR />Thanks!</P> Tue, 05 Dec 2017 14:25:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42252#M3187 Dusan_K_ 2017-12-05T14:25:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42253#M3188 Hi Dusan!<BR /> <BR /> you need :<BR /> - location groups with APs<BR /> - a rule on EWC for every VLAN you use (matching the rule you get from NAC via RADIUS !) with the configured VLAN topoogy<BR /> - a NAC aaa rule for every location using this EWC rules. Radius request will overwrite the default rule on EWC<BR /> - on EWC (Global/Authentication/RFC3580): choose: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes"<BR /> - VLANs tagged on AP wired port<BR /> <BR /> try WLAN config without TLS and NPS ! Use NAC user store to prevent issues from NPS.<BR /> <BR /> br<BR /> Volker Tue, 05 Dec 2017 14:56:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42253#M3188 Volker_Kull 2017-12-05T14:56:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42254#M3189 You'd take a look into this post to get some ideas how to troubleshoot the issue...<BR /> <BR /> <A href="https://community.extremenetworks.com/extreme/topics/how-to-configure-windows-2012-nps-for-radius-authentication-with-extremewireless-controller" target="_blank" rel="nofollow noreferrer noopener">https://community.extremenetworks.com/extreme/topics/how-to-configure-windows-2012-nps-for-radius-au...</A><BR /> Tue, 05 Dec 2017 19:39:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42254#M3189 Ronald_Dvorak 2017-12-05T19:39:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42255#M3190 Hi,<BR /> <BR /> found a working solution w/ EAC!<BR /> <BR /> <B>Client EWC/B@AP EAC (Radius Proxy) NPS (EAP-TLS)</B><BR /> <BR /> Here's my community contribution (based on <A href="https://community.extremenetworks.com/extreme/people/volker_kull" target="_blank" rel="nofollow noreferrer noopener">Volker Kull</A>'s advice):<BR /> <BR /> <B>@EWC</B><BR /> <OL> VNS &gt; Global &gt; Authentication &gt; RFC 3580 (ACCESS-ACCEPT) Options: <B>"Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes"</B> VNS &gt; WLAN Service &gt; Auth &amp; Acct &gt; RADIUS TLVs &gt; Zone Support &gt; RADIUS Request Called Station ID Options &gt; <B>Replace BSSID with Zone name</B> AP &gt; Edit selected AP &gt; AP Properies &gt; <B>Zone: </B> </OL> <B>@EAC<BR /> </B><BR /> <B>Access Control &gt;</B><BR /> <OL> Group Editor &gt; Location Group: + Add New Group (for each location): + Switches: "List" + + Interface: "Wireless" + AP ID: Access Control Profiles &gt; Policy Mappings &gt; + Add New: + Map to Location: <B>Select Location</B> + Policy Role: "Enterprise Access" + VLAN [id] Name: Add New: + + VLAN Egress: "<B>Tagged</B>" Access Control Profile + Add New (for each location) + Accept Policy: <B>Select Policy Mapping</B> (step #2) + Replace RADIUS Attributes with Accept Policy Access Control Configurations &gt; Default + Add New Rule (for each location) + Authentication Rule: <B>802.1X (EAP-TLS)</B> + Location Group: <B>Select Location </B>(step #1)<B> </B>+ Profile: <B>Select Access Control Profiles </B>(step #2)<B> </B> Enforce </OL><B>Policy &gt;</B><BR /> <OL> Roles/Services &gt; Enterprise Access &gt; Mappings + Add (Type: <B>RFC3580</B>) VLAN: for each location Save Domain Enforce Domain (Ignore Errors) </OL> <U>Note: </U><BR /> Client is authenticated against NPS.<BR /> Policy (Role/VLAN mapping) is applied directly from EAC.<BR /> Role <B>Enterprise Access</B> is used as an example<BR /> <BR /> Cheers! Tue, 05 Dec 2017 20:44:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/how-to-dynamically-assign-a-user-to-a-vlan-depending-on-the-ap/m-p/42255#M3190 Dusan_K_ 2017-12-05T20:44:00Z