cancel
Showing results for 
Search instead for 
Did you mean: 

How to create a single SSID with multiple vlans ?

How to create a single SSID with multiple vlans ?

Yakup_Erdol
New Contributor III
Hi all,

I have deployed a Netsight server, a Extreme NAC server and a c5210 wireless controller.

On the Wireless controller side:
I created a WLAN service with authentication mode 802.1x which is using a single radius server (Extreme NAC IA-A-20) for auth & acct.

I also created a role with default action:
Access Control: containment VLAN
VLAN: vlan212

Clicked Advanced >> Added vlan212, vlan300, vlan211 to be used. I have not defined any policy rules.

Then I defined a VNS to bind this WLAN service to this Role when user is authenticated.

On the NAC side:

I added the EWC to access control engine as "Extreme identiFi Wireless".

I created two policy roles. One of them is configured to contain to vlan211 and the other is configured to contain to vlan300.

Note
: when I try to enforce domain data to wireless controller, "cannot remove active Role -XXXX- from EWC ..." error occurs.

Then I have tested with two wireless clients. I can see that both clients are assigned to these different NAC profiles successfully. But they are assigned to same vlan212.

Is it possible to assign clients with different NAC profiles to different Vlans on the same SSID ?

Thanks.
13 REPLIES 13

Hi Yury,

Firstly, I have to confess that I could not understand how to configure the first method on the wireless controller. Because as I know, a VNS can only bind a WLAN service to only two different Roles (non-authenticated / authenticated).

Anyway, I tried my best and deleted all custom made CoS and Roles on the EWC, then enforced domain policies from Netsight successfully. Then I configured the VNS as below:

167e5f5a11884a72a7c5c44edb54924d_RackMultipart20170914-84620-1jv9982-8021x_inline.jpg



Then, I tested this configuration by connecting two different clients to the same SSID (test-8021x) simultaneously: one of the clients assigned to "Vlan211" and the other assigned to "Vlan311" which are not related to "NOT_Domain_PC" role. They are just assigned to Vlans that NAC sends as radius attributes :

Test client-1 Authentication session:

167e5f5a11884a72a7c5c44edb54924d_RackMultipart20170914-55200-tl5rc-8021x-2_inline.png



Test client-2 Authentication session:

167e5f5a11884a72a7c5c44edb54924d_RackMultipart20170914-128099-8uj7eu-8021x-3_inline.png



I understand from this test that no matter what is chosen in the "Default Roles >> Authenticated" field, clients are assigned according to radius attribute that NAC sends.

Is it right ?

Thanks

I will try it tomorrow. Thanks again.

No , not WLAN service by topology . I meant Role (sometimes refered as Policy). NAC sending back the Filter-ID which is exactly matching the Role name configured on the controller. This role can be bounded to particular Topology (which is the VLAN for you).

Ostrovsky__Yury
Extreme Employee
Hi Yakup ,
You can assing different VLANs in one of this two methods :
- Sending different Policy which bounded to specific topology on the Wireless Controller (e.g. Policy1 on controller configured to "Contain to VLAN100" , Policy2 on controller configured to "Contain to VLAN200" . ) So based on some criteria , ExtremeNAC will send different Policy , then controller will assign different Topology (therefore VLAN) to the user
- Second method is using the same policy , but sending Tunneled Attributes . For doing that , change the "Extreme identiFi Wireless" (when you were adding switch to the NAC) to "RFC3580- VLANID & Extreme IdentiFi Wireless" , in this case together with FilterID (Policy name) the tunneled attributes will come to controller .
GTM-P2G8KFN