Same here, everything done with ISE. DM if you need help.
Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<http://www.dti.ulaval.ca/> Avis relatif à la confidentialité | Notice of Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Gray, Sean" <sean.gr...@uleth.ca> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Wednesday, July 7, 2021 at 12:52 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN Hi Everyone, We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into a single WLAN (eduroam). Behind the scenes we still need to authenticate and route clients to their respective network segment. So to achieve this we need to implement dynamic vlan redirects behind the scenes. Eduroam users from other institutions will be sent out to eduroam to be handled appropriately Authentication will be handled by ISE cluster, running 2.6.0.156 WLC – 5520 (pair) running 8.8.130.0 The process, from a high level should look something like this * Staff/faculty will connect to our new single WLAN, namely Eduroam * They will be caught by the appropriate policy and authenticated against AD, validating that they are staff/faculty * Now they will be redirected to the appropriate VLAN * Student will follow the same process, but will be validated that they are a student, and redirected to a different VLAN * All others (externals) will be sent to an external RADIUS server for auth and then redirected to yet another different VLAN. Currently unique policies exist for each of these processes, without the added complexities of the VLAN redirect. So my mission is to combine these, filtering each client to their auth point, and then upon receiving the authorization, assign the appropriate vlan tag, for IP assignment, prior to them getting on-net. I’ve been unable to find any meaningful documentation around how to handle internal vs external radius redirection in this scenario. So has anyone done this, and are they able to share their process, inclusive of vlan redirect? Thanks Sean Sean Gray | B.Sc (Hons) Voice, Collaboration & Wireless Network Analyst ITS, University of Lethbridge ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
