configuring-device-registration-with-dynamic-vlan-assignment

About this task

This section provides the configurations required to enable device registration with dynamic VLAN assignment in a multi-vendor environment.

Procedure

  1. Create vendor-specific RADIUS user groups and assign an allowed VLAN to each group, as shown in the following examples:
    nx9500-6C8809(config)#radius-group Apple
    nx9500-6C8809(config-radius-group-Apple)#policy vlan 200
    nx9500-6C8809(config)#radius-group Samsung
    nx9500-6C8809(config-radius-group-Samsung)#policy vlan 100
    nx9500-6C8809(config)#radius-group Devices
    nx9500-6C8809(config-radius-group-Devices)#policy vlan 1
    Note

    Note

    If necessary, configure the session-time for each of the above configured RADIUS group. This is the duration for which a RADIUS group client‘s session remains active after successful authentication. Upon expiration, the RADIUS session is terminated. Use the policy > session-time > <5-144000> command to specify the session-time.
  2. Create a RADIUS user pool, add users to the pool, and assign the users to the vendor-specific user groups: as shown in the following examples:
    nx9500-6C8809(config)#radius-user-pool-policy Vendor-Devices
    nx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user Samsung password 0 samsung group Samsung
    nx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user test password 0 test123 group Apple
  3. Create a RADIUS server policy, and associate the RADIUS groups and user pool created in steps 1 and 2 respectively, as shown in the following examples:
    nx9500-6C8809(config)#radius-server-policy Guest-Radius
    nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-user-pool-policy Vendor-Devices
    nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Samsung
    nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Sony
    nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Apple
  4. Create an AAA Policy, on the controller, and configure the authentication server as self, as shown in the following example:
    nx9500-6C8809(config)#aaa-policy OnBoard-NX
    nx9500-6C8809(config-aaa-policy-OnBoard-NX)#authentication server 1 onboard controller
    nx9500-6C8809(config-aaa-policy-OnBoard-NX)#show context
    aaa-policy OnBoard-NX
     authentication server 1 onboard self
    nx9500-6C8809(config-aaa-policy-OnBoard-NX)#
  5. Create a captive-portal, and point to the captive-portal‘s server, enable RADIUS VLAN assignment, and associate the AAA policy, as shown in the following examples:
    nx9500-6C8809(config)#captive-portal DeviceRegistration
    nx9500-6C8809(config-captive-portal-DeviceRegistration)#server host captive.extremenoc.com
    nx9500-6C8809(config-captive-portal-DeviceRegistration)#radius-vlan-assignment
    nx9500-6C8809(config-captive-portal-DeviceRegistration)#use aaa-policy OnBoard-NX
    nx9500-6C8809(config-captive-portal-DeviceRegistration)#access-type radius
  6. Configure a WLAN and enable RADIUS VLAN assignment, as shown in the following examples:
    nx9500-6C8809(config)#wlan CP-OnBoarding
    nx9500-6C8809(config-wlan-CP-OnBoarding)#ssid CP-OnBoarding
    nx9500-6C8809(config-wlan-CP-OnBoarding)#radius vlan-assignment
    nx9500-6C8809(config-wlan-CP-OnBoarding)#use aaa-policy OnBoard-NX
    nx9500-6C8809(config-wlan-CP-OnBoarding)#use captive-portal DeviceRegistration
    nx9500-6C8809(config-wlan-CP-OnBoarding)#captive-portal-enforcement fall-back
    nx9500-6C8809(config-wlan-CP-OnBoarding)#registration device group-name Devices expiry-time 4320
    nx9500-6C8809(config-wlan-CP-OnBoarding)#authentication-type mac
  7. Create an access point profile, associate the RADIUS server policy, captive-portal policy to it, and also assign the WLAN to the AP radio, as shown in the following examples:
    nx9500-6C8809(config-profile-SITE-10)#use radius-server-policy Guest-Radius
    nx9500-6C8809(config-profile-SITE-10)#use captive-portal server DeviceRegistration
    nx9500-6C8809(config-profile-SITE-10-if-radio2)#wlan CP-OnBoarding bss 1 primary
    nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport mode trunk
    nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk native vlan 90
    nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk allowed vlan 1,90,1000-1002
    nx9500-6C8809(config-profile-SITE-10-if-ge1)#no switchport trunk native tagged
  8. Use the access point profile in the access point‘s device context.
    Related Commands
    radius-server-policy Documents RADIUS server policy configuration commands
    radius-group Documents RADIUS group policy configuration commands
    radius-user-pool-policy Documents RADIUS user policy configuration commands
    AAA Policy Documents AAA policy configuration commands
    captive-portal Documents captive-portal configuration commands
    wlan Documents WLAN configuration commands
    Profiles Documents profile configuration commands
    guest-registration (show commands) Documents show > guest-registration command and outputs. Use this command to view guest registration statistics once device-registration is enabled.