Dynamic VLANs Location Aware - override radius assigned VLAN

  • 1
  • Question
  • Updated 2 years ago
We're using Dynamic VLAN assignment using AD groups via 802.1X.  NPS is the radius server.  This works great but we have an issue when a user travels to another location where different VLANs are used with the same SSID.  The same pair of NPS servers (one primary & one backup) provide authentication for both locations.  We've tried to override the radius assigned VLAN using location awareness via Topology maps, hostname and tags.  However, the radius assigned VLAN takes precedence.  Other than creating a separate SSID for the remote locations, is there a way to continue to use Dynamic VLANs with a single SSID and add location awareness to override the radius assigned VLAN?
Photo of Gary Bennett

Gary Bennett

  • 1 Post
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2486 Posts
  • 448 Reply Likes
Hi Gary,

The solution to this is to not send the VLAN in the Tunnel-Private-Group-Id attribute of the RADIUS Access-Accept and to instead set the VLAN based on those configured in user profiles.

You then need to have an appropriate set of user profiles configured with appropriate assignment rules so that they are applied appropriately.

See the following discussion that explains the two methods that Aerohive supports for assigning the user profile: