cancel
Showing results for 
Search instead for 
Did you mean: 

How to dynamically assign a user to a VLAN depending on the AP location?

How to dynamically assign a user to a VLAN depending on the AP location?

Dusan_K_
New Contributor III

Hi all,

my goal is to use same SSID and (dynamically) assign users to a VLAN depending on location.

I am looking into "Replace BSSID with Zone name" in RADIUS TLVs (RADIUS Access Request Message Options) but had no success making it work. I can see the proper "Called Station Identifier: Location x" in NPS Event Viewer though. Now I need to find a way to assign a proper VLAN to it at the AP ...

I followed procedure on https://extremeportal.force.com/ExtrArticleDetail?an=000082506 but am missing something here ...

Setup: B@AP topology, EAP-TLS, NPS, NAC (RADIUS Proxy mode)

Thanks!

3 REPLIES 3

Dusan_K_
New Contributor III
Hi,

found a working solution w/ EAC!

Client EWC/B@AP EAC (Radius Proxy) NPS (EAP-TLS)

Here's my community contribution (based on Volker Kull's advice):

@EWC
    VNS > Global > Authentication > RFC 3580 (ACCESS-ACCEPT) Options: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes" VNS > WLAN Service > Auth & Acct > RADIUS TLVs > Zone Support > RADIUS Request Called Station ID Options > Replace BSSID with Zone name AP > Edit selected AP > AP Properies > Zone:
@EAC

Access Control >
    Group Editor > Location Group: + Add New Group (for each location): + Switches: "List" + + Interface: "Wireless" + AP ID: Access Control Profiles > Policy Mappings > + Add New: + Map to Location: Select Location + Policy Role: "Enterprise Access" + VLAN [id] Name: Add New: + + VLAN Egress: "Tagged" Access Control Profile + Add New (for each location) + Accept Policy: Select Policy Mapping (step #2) + Replace RADIUS Attributes with Accept Policy Access Control Configurations > Default + Add New Rule (for each location) + Authentication Rule: 802.1X (EAP-TLS) + Location Group: Select Location (step #1) + Profile: Select Access Control Profiles (step #2) Enforce
Policy >
    Roles/Services > Enterprise Access > Mappings + Add (Type: RFC3580) VLAN: for each location Save Domain Enforce Domain (Ignore Errors)
Note:
Client is authenticated against NPS.
Policy (Role/VLAN mapping) is applied directly from EAC.
Role Enterprise Access is used as an example

Cheers!

Ronald_Dvorak
Honored Contributor
You'd take a look into this post to get some ideas how to troubleshoot the issue...

https://community.extremenetworks.com/extreme/topics/how-to-configure-windows-2012-nps-for-radius-au...

Volker_Kull
Contributor
Hi Dusan!

you need :
- location groups with APs
- a rule on EWC for every VLAN you use (matching the rule you get from NAC via RADIUS !) with the configured VLAN topoogy
- a NAC aaa rule for every location using this EWC rules. Radius request will overwrite the default rule on EWC
- on EWC (Global/Authentication/RFC3580): choose: "Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes"
- VLANs tagged on AP wired port

try WLAN config without TLS and NPS ! Use NAC user store to prevent issues from NPS.

br
Volker
GTM-P2G8KFN