Cisco WLC, Single SSID, 2 User Groups in Different VLANs

Here’s the scenario:

The customer wanted to provide wireless network access to 2 different groups of users, say sales and technical. The sales and technical user groups have their network privileges restricted by use of VLANs and the customer envisioned have 2 SSIDs, one per user VLAN. Wireless authentication was going to be via a pre-shared key (not my idea!!!).

Here’s the hardware:

2 x Cisco 5508 Wireless LAN Controller (Active & Backup)
130 x Cisco 3500 APs
5 x Cisco 3750 Switches (Core) 24 x Cisco 3650 Switches (Access)
2 x HP DL380 G7 (Server 2008 R2)

I work for an Aruba Networks partner and know that there’s a more elegant solution to what the customer is asking to do when using an Aruba wireless controller but wasn’t aware of a way to do this with a Cisco Wireless LAN Controller.

Solution:

I installed the Certificate Services role on one server and then installed Network Policy Server role on the other.
Created 1 SSID on the Cisco WLC and put it in a guest VLAN which only has Internet access. Configured the SSID to use 802.1x authentication and pointed it at the NPS server and enabled Allow AAA Override. This override setting is key! It allows you to send back RADIUS attributes from NPS which will specify which VLAN users will be put into upon authentication.

Next NPS was configured with 3 Network Policies. One for sales users, one for technical users and one for domain computers.

Now here’s the good bit:

By configuring the following 3 RADIUS standard attribute types in each Network Policy, NPS tells the Cisco WLC that users authenticated should be placed in a VLAN specified in the “Tunnel-Pvt-Group-ID” RADIUS attributes.

Here are the 3 attributes:

[64] Tunnel-Type (Set this to VLAN)
[65] Tunnel-Medium-Type (set this to 802)
[81] Tunnel-Pvt-Group-ID (Set this to the VLAN ID you wish to put the user in)

Next a wireless group policy was configured with the SSID, Encryption, Authentication and single sign on settings and applied to domain computers.

Note: The domain computers NPS Network Policy is essential so that machines can login before the user attempts to authenticate and therefore computer group policy applies and users can authenticate against the domain.

Sources:

Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
NPS RADIUS Attributes

Note: This post is mostly for my benefit so I don’t forget! The links above go into more detail on the topic.