This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

How to dynamically assign a user to a VLAN depending on the AP location?

How to dynamically assign a user to a VLAN depending on the AP location?

Dusan_K_
New Contributor III

‎12-05-2017 06:25 AM

Hi all,

my goal is to use same SSID and (dynamically) assign users to a VLAN depending on location.

I am looking into "Replace BSSID with Zone name" in RADIUS TLVs (RADIUS Access Request Message Options) but had no success making it work. I can see the proper "Called Station Identifier: Location x" in NPS Event Viewer though. Now I need to find a way to assign a proper VLAN to it at the AP ...

I followed procedure on https://extremeportal.force.com/ExtrArticleDetail?an=000082506 but am missing something here ...

Setup: B@AP topology, EAP-TLS, NPS, NAC (RADIUS Proxy mode)

Thanks!

0 Kudos
3 REPLIES 3

Dusan_K_
New Contributor III

‎12-05-2017 12:44 PM

Hi,

found a working solution w/ EAC!

Client EWC/B@AP EAC (Radius Proxy) NPS (EAP-TLS)

Here's my community contribution (based on Volker Kull's advice):

@EWC
    VNS > Global > Authentication > RFC 3580 (ACCESS-ACCEPT) Options: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes" VNS > WLAN Service > Auth & Acct > RADIUS TLVs > Zone Support > RADIUS Request Called Station ID Options > Replace BSSID with Zone name AP > Edit selected AP > AP Properies > Zone:
@EAC

Access Control >
    Group Editor > Location Group: + Add New Group (for each location): + Switches: "List" + + Interface: "Wireless" + AP ID: Access Control Profiles > Policy Mappings > + Add New: + Map to Location: Select Location + Policy Role: "Enterprise Access" + VLAN [id] Name: Add New: + + VLAN Egress: "Tagged" Access Control Profile + Add New (for each location) + Accept Policy: Select Policy Mapping (step #2) + Replace RADIUS Attributes with Accept Policy Access Control Configurations > Default + Add New Rule (for each location) + Authentication Rule: 802.1X (EAP-TLS) + Location Group: Select Location (step #1) + Profile: Select Access Control Profiles (step #2) Enforce
Policy >
    Roles/Services > Enterprise Access > Mappings + Add (Type: RFC3580) VLAN: for each location Save Domain Enforce Domain (Ignore Errors)
Note:
Client is authenticated against NPS.
Policy (Role/VLAN mapping) is applied directly from EAC.
Role Enterprise Access is used as an example

Cheers!
0 Kudos

Ronald_Dvorak
Honored Contributor

‎12-05-2017 11:39 AM

You'd take a look into this post to get some ideas how to troubleshoot the issue...

https://community.extremenetworks.com/extreme/topics/how-to-configure-windows-2012-nps-for-radius-au...
0 Kudos

Volker_Kull
Contributor

‎12-05-2017 06:56 AM

Hi Dusan!

you need :
- location groups with APs
- a rule on EWC for every VLAN you use (matching the rule you get from NAC via RADIUS !) with the configured VLAN topoogy
- a NAC aaa rule for every location using this EWC rules. Radius request will overwrite the default rule on EWC
- on EWC (Global/Authentication/RFC3580): choose: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes"
- VLANs tagged on AP wired port

try WLAN config without TLS and NPS ! Use NAC user store to prevent issues from NPS.

br
Volker
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN