- Technical Forums
- Dynamic Vlan/Similar option is not working for Wired Clients (MAB/8021x) on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Dynamic Vlan/Similar option is not working for Wired Clients (MAB/8021x) on Meraki Switches
- Mark as New
- Report Inappropriate Content
- All forum topics
- Previous Topic
- February 14: [Contest Closed] Valentine’s Contest 💌 — Share some 💘
- February 5: Enhanced Reporting for Inappropriate Content = Better Community Experience
- February 5: Recognizing the January 2024 Members of the Month
View all community news »
- Interfaces 208
- Layer 2 222
- Layer 3 157
- Community Guidelines
- Cisco Privacy
- Khoros Privacy
- Terms of Use
- Skip to content
- Skip to search
- Skip to footer
Configure Dynamic VLAN Assignment with WLCs Based on ISE to Active Directory Group Map
Available Languages
Download options.
- PDF (2.5 MB) View with Adobe Reader on a variety of devices
- ePub (2.7 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
- Mobi (Kindle) (2.4 MB) View on Kindle device or Kindle app on multiple devices
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Introduction
This document describes the concept of dynamic VLAN assignment.
Prerequisites
The document describes how to configure the wireless LAN controller (WLC) and Identity Services Engine (ISE) server in order to assign wireless LAN (WLAN) clients into a specific VLAN dynamically.
Requirements
Cisco recommends that you have knowledge of these topics:
Basic knowledge of Wireless LAN Controllers (WLCs) and Lightweight Access Points (LAPs)
Functional knowledge of an Authentication, Authorization, and Accounting (AAA) server such as an ISE
- Thorough knowledge of wireless networks and wireless security issues
- Functional and configurable knowledge of dynamic VLAN assignment
- Basic understanding of Microsoft Windows AD services, as well as a domain controller and DNS concepts
- Have basic knowledge of Control And Provisioning of Access Point protocol (CAPWAP)
Components Used
The information in this document is based on these software and hardware versions:
Cisco 5520 Series WLC that runs firmware release 8.8.111.0
Cisco 4800 Series AP
Native Windows supplicant and Anyconnect NAM
Cisco Secure ISE version 2.3.0.298
Microsoft Windows 2016 Server configured as a domain controller
Cisco 3560-CX Series Switch that runs version 15.2(4)E1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Dynamic VLAN Assignment with RADIUS Server
In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations because it requires clients to associate with different SSIDs in order to inherit different QoS and security policies.
Cisco WLAN solution addresses that limitation by the support of identity networking. This allows the network to advertise a single SSID but allows specific users to inherit different QoS, VLAN attributes, and/or security policies based on the user credential.
Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task to assign users to a specific VLAN is handled by a RADIUS authentication server, such as Cisco ISE. This can be used, for example, in order to allow the wireless host to remain on the same VLAN as it moves within a campus network.
The Cisco ISE server authenticates wireless users against one of several possible databases, which includes its internal database. For example:
- Internal DB
Active Directory
Generic Lightweight Directory Access Protocol (LDAP)
Open Database Connectivity (ODBC)-compliant relational databases
Rivest, Shamir, and Adelman (RSA) SecurID token servers
RADIUS-compliant token servers
Cisco ISE Authentication Protocols and Supported External Identity Sources list the various authentication protocols supported by ISE internal and external databases.
This document focuses on authenticating wireless users that use Windows Active Directory external database.
After successful authentication, ISE retrieves the group information of that user from the Windows database and associates the user to the respective authorization profile.
When a client attempts to associate with a LAP registered with a controller, the LAP passes the credentials of the user to the WLC with the help of the respective EAP method.
WLC sends those credentials to ISE with the use of RADIUS protocol (encapsulating the EAP) and ISE passes the credentials of users to AD for validation with the help of the KERBEROS protocol.
AD validates the user credentials and upon successful authentication, informs the ISE.
Once the authentication is successful, the ISE server passes certain Internet Engineering Task Force (IETF) attributes to WLC. These RADIUS attributes decide the VLAN ID that must be assigned to the wireless client. The SSID (WLAN, in terms of WLC) of the client does not matter because the user is always assigned to this predetermined VLAN ID.
The RADIUS user attributes used for the VLAN ID assignment are:
IETF 64 (Tunnel Type) — Set this to VLAN
IETF 65 (Tunnel Medium Type) — Set this to 802
IETF 81 (Tunnel Private Group ID) — Set this to VLAN ID
The VLAN ID is 12 bits and takes a value between 1 and 4094, inclusive. Because the Tunnel-Private- Group-ID is of type string, as defined in RFC2868 for use with IEEE 802.1X, the VLAN ID integer value is encoded as a string. When these tunnel attributes are sent, it is necessary to fill in the Tag field.
As noted in RFC 2868 , section 3.1: the Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the Tag field is unused, it must be zero (0x00). Refer to RFC 2868 for more information on all RADIUS attributes.
This section provides the information needed to configure the described features in the document.
Network Diagram
Configurations
These are the configuration details of the components used in this diagram:
The IP address of the ISE (RADIUS) server is 10.48.39.128.
The Management and AP-manager Interface address of the WLC is 10.48.71.20.
DHCP server resides in the LAN network and is configured for respective client pools; it is not shown in the diagram.
VLAN1477 and VLAN1478 are used throughout this configuration. Users from the Marketing department are configured in order to be placed into the VLAN1477 and users from the HR department are configured in order to be placed into VLAN1478 by the RADIUS server when both users connect to the same SSID ― office_hq .
VLAN1477: 192.168.77.0/24. Gateway: 192.168.77.1 VLAN1478: 192.168.78.0/24. Gateway: 192.168.78.1
This document uses 802.1x with PEAP-mschapv2 as the security mechanism.
Note : Cisco recommends that you use advanced authentication methods, such as EAP-FAST and EAP-TLS authentication, in order to secure the WLAN.
These assumptions are made before you perform this configuration:
The LAP is already registered with the WLC
The DHCP server is assigned a DHCP scope
- Layer 3 connectivity exists between all devices in the network
The document discusses the configuration required on the wireless side and assumes that the wired network is in place
- Respective users and groups are configured on AD
In order to accomplish dynamic VLAN assignment with WLCs based on ISE to AD group mapping, these steps must be performed:
- ISE to AD integration and configuration of authentication and authorization policies for users on ISE.
- WLC configuration in order to support dot1x authentication and AAA override for SSID 'office_hq'.
- End client supplicant configuration.
ISE to AD Integration and Configuration of Authentication and Authorization Policies for Users on ISE
- Login to the ISE Web UI interface using an admin account.
WLC Configuration to Support dot1x Authentication and AAA Override for SSID 'office_hq'
Use the Windows 10 native supplicant and Anyconnect NAM in order to test connections.
Since you are using EAP-PEAP authentication and ISE is using a Self-Signed Certificate (SSC), you must agree to a certificate warning or disable certificate validation. In a corporate environment, you must use a signed and trusted certificate on ISE and ensure that the end-user devices have the appropriate root certificate installed under the Trusted CA list.
Test connection with Windows 10 and native supplicant:
- From the WLC CLI , the client status can be checked with the show client dertails <mac-address> : show client detail f4:8c:50:62:14:6b Client MAC Address............................... f4:8c:50:62:14:6b Client Username ................................. Bob Client Webauth Username ......................... N/A Hostname: ....................................... Device Type: .................................... Intel-Device AP MAC Address................................... 70:69:5a:51:4e:c0 AP Name.......................................... AP4C77.6D9E.6162 AP radio slot Id................................. 1 Client State..................................... Associated User Authenticated by ........................... RADIUS Server Client User Group................................ Bob Client NAC OOB State............................. Access Wireless LAN Id.................................. 3 Wireless LAN Network Name (SSID)................. office_hq Wireless LAN Profile Name........................ office_hq Hotspot (802.11u)................................ Not Supported Connected For ................................... 242 secs BSSID............................................ 70:69:5a:51:4e:cd Channel.......................................... 36 IP Address....................................... 192.168.78.36 Gateway Address.................................. 192.168.78.1 Netmask.......................................... 255.255.255.0 ... Policy Manager State............................. RUN ... EAP Type......................................... PEAP Interface........................................ vlan1478 VLAN............................................. 1478 Quarantine VLAN.................................. 0 Access VLAN...................................... 1478
Test connection with Windows 10 and Anyconnect NAM:
- From the WLC CLI , the client status can be checked with the show client dertails <mac-address> : Client MAC Address............................... f4:8c:50:62:14:6b Client Username ................................. Alice Client Webauth Username ......................... N/A Hostname: ....................................... Device Type: .................................... Intel-Device AP MAC Address................................... 70:69:5a:51:4e:c0 AP Name.......................................... AP4C77.6D9E.6162 AP radio slot Id................................. 1 Client State..................................... Associated User Authenticated by ........................... RADIUS Server Client User Group................................ Alice Client NAC OOB State............................. Access Wireless LAN Id.................................. 3 Wireless LAN Network Name (SSID)................. office_hq Wireless LAN Profile Name........................ office_hq Hotspot (802.11u)................................ Not Supported Connected For ................................... 765 secs BSSID............................................ 70:69:5a:51:4e:cd Channel.......................................... 36 IP Address....................................... 192.168.77.32 Gateway Address.................................. 192.168.77.1 Netmask.......................................... 255.255.255.0 ... Policy Manager State............................. RUN ... Policy Type...................................... WPA2 Authentication Key Management.................... 802.1x Encryption Cipher................................ CCMP-128 (AES) Protected Management Frame ...................... No Management Frame Protection...................... No EAP Type......................................... PEAP Interface........................................ vlan1477 VLAN............................................. 1477
Troubleshoot
- Use the test aaa radius username <user> password <password> wlan-id <id> in order to test the RADIUS connection between WLC and ISE and the test aaa show radius in order to show the results. test aaa radius username Alice password <removed> wlan-id 2 Radius Test Request Wlan-id........................................ 2 ApGroup Name................................... none Attributes Values ---------- ------ User-Name Alice Called-Station-Id 00-00-00-00-00-00:AndroidAP Calling-Station-Id 00-11-22-33-44-55 Nas-Port 0x00000001 (1) Nas-Ip-Address 10.48.71.20 NAS-Identifier 0x6e6f (28271) Airespace / WLAN-Identifier 0x00000002 (2) User-Password cisco!123 Service-Type 0x00000008 (8) Framed-MTU 0x00000514 (1300) Nas-Port-Type 0x00000013 (19) Cisco / Audit-Session-Id 1447300a0000003041d5665c Acct-Session-Id 5c66d541/00:11:22:33:44:55/743 test radius auth request successfully sent. Execute 'test aaa show radius' for response (Cisco Controller) >test aaa show radius Radius Test Request Wlan-id........................................ 2 ApGroup Name................................... none Radius Test Response Radius Server Retry Status ------------- ----- ------ 10.48.39.128 1 Success Authentication Response: Result Code: Success Attributes Values ---------- ------ User-Name Alice State ReauthSession:1447300a0000003041d5665c Class CACS:1447300a0000003041d5665c:rmanchur-ise/339603379/59 Tunnel-Type 0x0000000d (13) Tunnel-Medium-Type 0x00000006 (6) Tunnel-Group-Id 0x000005c5 (1477) (Cisco Controller) >
- Use the debug client <mac-address> in order to troubleshoot wireless client connectivity issues.
Note : Use this command only with the debug mac addr in order to limit the output based on the MAC address for which debugging is done.
- Refer to ISE live logs and session logs in order to identify problems authentication failures and AD communication issues.
Revision History
Contributed by Cisco Engineers
- Roman Manchur Cisco TAC Engineer
Was this Document Helpful?
Contact Cisco
- (Requires a Cisco Service Contract )
This Document Applies to These Products
- Identity Services Engine
- Wireless LAN Controller Software
- Wireless, LAN (WLAN)
- Community Home
- Topic Thread
Wired Intelligent Edge
- Discussion 38.8K
- Members 1.8K
Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
1. dynamic vlan assignment /dacl's with cisco ise and arubaos-switch.
Hi Created,
This guide below is how to set up DACL's and how to dynamically assign a vlan to a device connecting to the network.
Attachment(s)
2. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
is there a way to do a reassing os the DACL, if ofr example on the cisco ISE for thet user i need ot assing him a new ACL, can id do that with the COA?
or is this not possible at all?
3. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
What you normally would do is trigger a 'Terminate Session', where the switch will do a new authentication for the user/device and you can then return the new role/DACL as part of your policy/enforcement.
I'm not sure if ISE support DACL for Aruba switches, but you may fallback to user roles and return a local user role.
4. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
Yes i have configure DACL from ISE to ARUBA switches and its working perfectly but i need to do changes of the DACL and i havent figure out how to do that.(use vsa 92 standard by the way) if you need the config just let me do a session withb the cliente to do screenshot of ise and the config of the switch(the hardest part was to send the client ip address to ISE).
With the COA 'Terminate Session' if you have the experience with Cisco ISE could you show me how that configuration of the terminate session goes, i havent got that part i still have doubts with that configuration.
Gerardo Andree Mejia
5. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
You can initially deploy user role with policy and assign different user role having different policy based on your requirement using reauthentication CoA as below
6. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
so i can add the:
and send that information on the reauthenticate for the Aruba siwtches rigth?
i think i gettoting so what you do on the definition of the ISE is defines de VSA that im going to send the switch rigth?
thanks for the help by the way.
7. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
Yes we could send NAS-Filter-Rule via CoA.
8. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
Hi Shobana,
i had problem with the COA re-authenticate
this is the configuration i put on the ISE profile and sitll got no response from the switch
do you see anything bad in there??
am going to add the config of the switch i dont know if maybe theres something else that need to be done.
thanks for the help.
9. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
You have to enable this CLI for radius dyn authorization
radius dyn-authorization enable
radius dyn-authorization client { <IPV4> | <IPV6> | <HOSTNAME> }
[secret-key [plaintext <PASSKEY> | ciphertext] <PASSKEY> ]]
[time-window <WIDTH> ] [replay-protection {enable|disable}]
More details here -
https://www.arubanetworks.com/techdocs/AOS-CX/10.08/HTML/security_6200-6300-6400/Content/Chp_RAD_dyn_auth/RAD_dyn_auth_cmds/rad-dyn-aut-com-fl-10.htm
10. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch
does this applyes to version 16.11 for AOS-S??
New Best Answer
- Environmental Citizenship
- Support Services
- Contact Support
- Training & Certification
- Software Downloads
- Licensing Login
- Find a Partner
- Become a Partner
- Partner Ready for Networking
- Technology Partner Programs
- Privacy policy
- Terms of service
© Copyright 2024 Hewlett Packard Enterprise Development LP All Rights Reserved.
The Cisco Learning Network
Vasco F Costa asked a question.
Scrambled a file with the configs that I use to have dynamic vlan assigned by my radius server (ISE).
(apologies for such a raw presentation)
- Show more actions
- Enterprise Certifications Community
Vasco F Costa
Just concluded the dynamic vlan authentication with flexconnect.
In the ISE, the config is the same as demonstrated in the pptx file.
I didn't use my ipv6 only network because their not supported in local switch mode:
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0 - Cisco
IPV6 and IPv4 are supported on the Flex Connect APs in the Centrally switched mode only. In the Locally switched mode, IPv4 clients work as before with no issues.
wired infrastructure:
For my flexconnect site, I have a l3 switch directly connected to my OSPF area 0.
FLEXRemoto#sh ip route
O E2 192.168.29.0/24 [110/20] via 10.1.1.1, 00:31:00, Vlan1
C 192.168.183.0/24 is directly connected, Vlan803
C 192.168.182.0/24 is directly connected, Vlan802
C 192.168.181.0/24 is directly connected, Vlan801
C 192.168.180.0/24 is directly connected, Vlan800
O E2 192.168.111.0/24 [110/20] via 10.1.1.1, 00:31:00, Vlan1
O E2 192.168.201.0/24 [110/20] via 10.1.1.2, 01:31:36, Vlan1
O E2 192.168.202.0/24 [110/20] via 10.1.1.1, 00:31:00, Vlan1
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Vlan1
O E2 192.168.112.0/24 [110/20] via 10.1.1.1, 01:31:36, Vlan1
O E2 192.168.220.0/24 [110/20] via 10.1.1.2, 01:31:36, Vlan1
O E2 192.168.101.0/24 [110/20] via 10.1.1.1, 01:31:36, Vlan1
S* 0.0.0.0/0 [1/0] via 10.1.1.1
O E2 192.168.180.0/23 [110/20] via 10.1.1.1, 00:31:00, Vlan1
switch port where the AP is connected is in trunk mode:
interface FastEthernet0/2
description ->AP Flex
switchport trunk encapsulation dot1q
switchport trunk native vlan 800
switchport mode trunk
spanning-tree portfast
wlan config
- created an wlan "flexdot1x" and assigned to the management interface of the WLC
- for security; it's the same dot1x authentication as I demonstrate in the pptx file.
- advanced tab; clicked on "Allow AAA override"; "Flexconnect Local Switching" and "VLAN based central switching"
- set operation mode as "flexconnect"
- in the "flexconnect" tab; clicked "vlan support" and set native vlan to 800
Flexconnect Group
- created a group
- added the AP to that group
- "ACL mapping" tab -> "AAA VLAN-ACL mapping". Add the same dot1x authenticated vlans (601; 630 and 640). both ingress and egress acl fields were left as "none"
- WLAN VLAN mapping tab; assigned the flexdot1x ssid to vlan 802
Related Questions
Trending articles.
- Cisco Packet Tracer: Software de Simulación para Redes
- Continuing Education Credits Automation
- 200-301 CCNA Study Materials
- CCIE/CCDE: Book your Lab/Practical Exam
- Packet Tracer Labs
If you encounter a technical issue on the site, please open a support case .
Communities: Chinese | Japanese | Korean
Cisco.com © Copyright 2024 Cisco, Inc. All Rights Reserved. Privacy Statement Terms & Conditions Cookie Policy Trademarks
IMAGES
VIDEO
COMMENTS
Can anyone confirm or deny? Equipment: Virtual: ISE 2.4 Cisco 3850 Stack(s) IOS 3.6.9E RADIUS Authentication works. Community. Buy or Renew ... Wired Dynamic VLAN Assignment Go to solution. averill.johnson 1. Level 1 Options. Mark as New; ... you can use dynamic VLAN assignment, this example should explain how to configured the switch and ISE ...
Configure the RADIUS (IETF) attributes used for dynamic VLAN Assignment on Cisco ISE. Step 1. Configure the Catalyst WLC as an AAA Client on the Cisco ISE server ... If a wired network is connected to the switch, then this same configuration can be applied to the switch port that connects to the wired network. This enables the communication ...
This article goes through some good-to-know general settings and logic to implement for most 802.1x/MAB deployments on wired infrastructure using Cisco ISE. This article focuses on general things to consider when going through your wired deployment. ... if you are implementing dynamic VLAN assignment in your deployment, consider assigning the ...
We are using ISE for wireless corporate and guest access for some time with no problems. Now we are planning to expand access control to wired LAN. We plan to use web authentication with dynamic vlan assignment to both visitors and contractors. In our testing we have some problems with IP address renewing, since some browsers restrict java and ...
The document discusses the configuration required on the wireless side and assumes that the wired network is in place • • Respective users and groups are configured on AD In order to accomplish dynamic VLAN assignment with WLCs based on€ISE to AD group mapping, these steps must be performed: 1.
Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as CiscoSecure ACS. ... If a wired network is connected to the switch, then this same configuration can be ...
The IEEE 802.1X VLAN Assignment feature is automatically enabled when IEEE 802.1X authentication is configured for an access port, which allows the RADIUS server to send a VLAN assignment to the device port. This assignment configures the device port so that network access can be limited for certain users.
All wired clients using the dynamic PVLAN interface template will be programmed as data clients. Only interfaces with existing Access or PVLAN Host switchport mode support PVLAN template. Identity Based Networking Services 2.0 (IBNS 2.0) must be used for dynamic template support. Information About Wired Dynamic PVLAN. Wired Dynamic PVLAN is a ...
Is it possible to configure a dynamic vlan allocation via Cisco ISE (Radius Server) for wired clients (MAB/8021X) ? If I configured a SSID on Cisco MR & having an option "RADIUS override", to get the VLAN-ID from my RADIUS-Server. On Cisco Meraki Switches unable to find such any option. Do you guys...
RADIUS VLAN Assignment with Cisco ISE. I am trying to install Cisco ISE 2.1 to be used as a RADIUS server with 802.1x on my switches. I want to dynamically assign a VLAN based to a user who connects on the switch port. The problem is that, although my end client is authenticated and authorized by ISE, the VLAN id never gets received on the ...
Configuring Dynamic Access Ports on a VMPS Client. To configure a dynamic access port on a VMPS client switch, perform this task: Enters global configuration mode. Enters interface configuration mode and specifies the port to be configured. Sets the port to access mode. Configures the port as eligible for dynamic VLAN access.
Wired 802.1X is definitely the right way to go for locking down wired ports. If security is the motivation, MAC addresses are trivially spoofed - use certificates (EAP-TLS) and/or passwords (PEAP) to authenticate devices instead. ... For MAB and dynamic vlan assignment is just some radius attribute codes in the replies, you can use open source ...
Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch. 1. Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch. This guide below is how to set up DACL's and how to dynamically assign a vlan to a device connecting to the network.
Configure the RADIUS (IETF) attributes used for dynamic VLAN Assignment on Cisco ISE. Step 1. Configure the Catalyst WLC as an AAA Client on the Cisco ISE server ... If a wired network is connected to the switch, then this same configuration can be applied to the switch port that connects to the wired network. This enables the
Beginner. 12-19-2023 06:13 AM. I have about 30 individual data vlans all with unique vlan IDs and names, the names all have the word data in them. 1 on each switch. I'm also running Cisco ISE. Is there a way that I can use the dynamic vlan assignment for each of these?
The information in this document is based on these software and hardware versions: Cisco€5520 Series WLC that runs firmware release€8.8.111.0 Cisco€4800 Series€AP Native Windows supplicant and Anyconnect NAM. Cisco Secure€ISE€version€2.3.0.298 Microsoft Windows€2016 Server configured as a domain controller Cisco€3560-CX Series Switch that runs version 15.2(4)E1
In order to accomplish dynamic VLAN assignment with WLCs based on ISE to AD group mapping, these steps must be performed: ISE to AD integration and configuration of authentication and authorization policies for users on ISE. WLC configuration in order to support dot1x authentication and AAA override for SSID 'office_hq'.
1. Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch. This guide below is how to set up DACL's and how to dynamically assign a vlan to a device connecting to the network. 2. RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch.
Just concluded the dynamic vlan authentication with flexconnect. In the ISE, the config is the same as demonstrated in the pptx file. I didn't use my ipv6 only network because their not supported in local switch mode: Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0 - Cisco