Dynamic VLAN Assignment with ACS Server

In this post we will learn/test how the dynamic VLAN assignment works.

Basic Info:

Dynamic VLAN assignment: It pushes a wireless user into a specific VLAN based on his identity. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server (i.e. ACS).

It’s a type of identity networking. It allows us to have single SSID, but allows specific users to use different VLAN attributes based on the user credentials.

This task of assigning users to a specific VLAN is handled by a RADIUS authentication server (ACS 5.2 in my case). This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

As a result, when a client attempts to associate to a LAP registered with a controller, the LAP passes the credentials of the user to the RADIUS server for validation. Once the authentication is successful, the RADIUS server passes (IETF) attributes to the user. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client.

***In my post I am using a single SSID

My Topology:


Let’s take an Example:

  1. We will create a SSID “XYZ” and assign a non-routed VLAN (99) or management VLAN to it.
  2. Now we have Groups of employees in our company “Production, Admin and Sales”.
  3. VLANs as per Roles.(Production – 13, Admin – 14, Sales – 17 )

Steps to Configuration:

  • Configure WLC
  • Configure ACS server
  • Verification

Configure WLC

We must configure the WLC so it can communicate with the RADIUS server in order to authenticate the clients.

  1. Configure ACS on WLC:

From the controller GUI, click Security> AuthenticationDVAACS2

  1. Create dynamic interface (for VLAN 13, 14 and 17)

Example for VLAN 13, same we have to do for VLAN 14 & 17

Controller GUI, in the Controller > Interfaces


  1. Create a WLAN and assign to a Non Routed VLAN or management interface

From the controller GUI, go to WLANs > Create New




Enable AAA override feature:


CLI Command to enable: config wlan aaa-override enable wlan-id

Configure ACS (RADIUS) Server

  • Configure Network Resources.

AAA Client (WLC management IP), Location, and device type

  • Configure User and Identity Store

Create Identity Group, Users and then assign users to Identity Groups(Production, Admin and Sales Users)

Create Identity Store Sequence

  • Define policy elements.

Custom Profile

End Station Filter

Create Authorization Profiles

  • Apply access policies.

Select EAP Method

Assign Auth. Profile as per identity

  1. Configure Network Resources.

First we will add the WLC as an AAA client on the RADIUS server so that the WLC can pass the user credentials to the RADIUS server.

Create a Location type:

From the ACS GUI, go to Network Resources > Network Device Groups > Location, and click Create


Crete Device Type:

Go to Network Resources > Network Device Groups > Device Type > Create


Add WLC as AAA client in ACS sever:

Go to Network Resources > Network Devices and AAA Clients. Put the WLC IP and shared secret (it must be same as in WLC)



  1. Configure User and Identity Store

Create Identity Group, Users and then assign users to Identity Groups:

In this post we will create three types of users (Production, Admin and Sales Users)

For Identity Groups:

Go to Users and Identity Stores > Identity Groups > Create

For Users:

Go to Users and Identity Stores > Internal Identity Stores > Users > Create


Create Identity Store Sequence:

As we don’t need it in this post (only internal user option will also work)

Go to Users and Identity Stores > Identity Stores Sequences > Create


  1. Define policy elements.

Custom Profile

Create a Custom SSID Profile or create an END STATION filter (we will use only one method from this and that will be CUSTOM SSID)

Go to Policy Elements > Custom> Create

Enter the Name (MySSID), choose Dictionary as RADIUS-IETF and Attribute as Called-Station-ID.


End Station Filter:

Go to Policy Elements> Network Conditions>End Station Filter>Create

*** We will not use this in this post



Create Authorization Profiles:

Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles > Create.

IN this post we are using vlan 13, 14 and 17 so we need three Auth Profiles.

Two ways to do: Either under Common Tasks or under RADIUS Attributes:

Both ways are shown here.



So in end auth profile will look like this:


  1. Access Policies

We are using Radius Authentication we have to use Default Network Access.


Select which EAP method we would like the wireless Clients to Authenticate. In this post we will use EAP-FAST or PEAP.


Select Identity under Default Network Access as “MyLab” which we created earlier.


Configure Authorization Rules:

Go to Access Policies > Access Services > Default Network Access > Authorization.

We can customize under what conditions we will allow user access to the network and what authorization profile (attributes) we will pass once authenticated. In this post, we selected Location, SSID, Device Type, and Identity Group.



Production User must go in vlan 13.


Sales User must go in vlan 17.


Admin User must go in vlan 14.

DVAACS25Logs from ACS:


Thats all 🙂



Configuration Client Link

In this post we wills learn about Client Link (Beam forming).

As we all know that 802.11n provides remarkable performance improvements in the areas of throughput, link reliability, and predictability. The transition to 802.11n provides significant benefits, but most organizations will take a phased approach to migration.

In the coming days/month/Year, many installations can be expected to support a mix of older 802.11a/g clients and newer 802.11n clients. The reasons that older clients will continue to operate for some time is that it takes few years for a full refresh cycle of enterprise laptops. And certain industries such as manufacturing and healthcare can take even longer to replace their devices.

In mixed environments, older 802.11a/g clients delay communications for 802.11n clients and reduce system performance. That’s y Cisco has developed a new technology that allows businesses to deliver the performance benefits of 802.11n to 802.11a/g devices, thereby increasing their useful life.

Client-Link is a spatial-filtering mechanism used at a transmitter to improve the received signal power or signal-to-noise (SNR) ratio at an intended receiver (client). Cisco Client-Link ensures our mixed 802.11a/g and 802.11n devices operate at the best possible data rates on our wireless networks.

Cisco Aironet 1140, 1250, 1260, 1600, 2600, 2700, 3500 and 3600 series access points support Client-Link.

To know more:  The New Generation of Cisco Aironet Access Points


Client-Link uses multiple transmit antennas to focus transmissions in the direction of an 802.11a or 802.11g client, which increases the downlink SNR and the data rate to the client, reduces coverage holes, and enhances overall system performance. Client-Link works with all existing 802.11a and 802.11g clients.

Remembering Points:

  1. Client-Link starts only when the signal from the client falls below these thresholds:
    • 11a clients—RSSI of –60 dBm or weaker
    • 11g clients—RSSI of –50 dBm or weaker
  2. 11b clients do not support Client-Link.
  3. The access point actively maintains Client-Link data for up to 15 clients per radio.
  4. Client-Link is supported only for legacy orthogonal frequency-division multiplexing (OFDM) data rates (6, 9, 12, 18, 24, 36, 48, and 54 Mbps).
  5. Client-Link is not supported for complementary code keying (CCK) data rates (1, 2, 5.5, and 11 Mbps).
  6. Only access points that support 802.11n can use Client-Link.
  7. Two or more antennas must be enabled for transmission.
  8. OFDM data rates must be enabled.
  9. Client-Link must be enabled.

Configure Client-Link

Via GUI:

Login to WLC GUI

Go to Wireless > 802.11a/n or 802.11b/g/n > Network

Select the Client-Link check box to globally enable Client-Link on 802.11a or 802.11g network.

Click Apply to commit changes.

The default value is disabled.

See the screenshot:


To override the global configuration and enable or disable Client-Link for a specific AP as follows (My AP doesn’t support this so cant paste the screenshot):

Choose Wireless > Access Points > Radios > 802.11a/n or 802.11b/g/n

Under the 11n Parameters section, select the Client-Link check box to enable Client-Link for this AP.

Via CLI:

Globally enable or disable ClientLink on your 802.11a or 802.11g network by entering this command:

config {802.11a | 802.11b} beamforming global {enable | disable}

Override the global configuration and enable or disable ClientLink for a specific access point by entering this command:

config {802.11a | 802.11b} beamforming ap Cisco_AP {enable | disable}


(WLAN1) >show 802.11a
 802.11a Network.................................. Enabled
 Beacon Interval.................................. 100
 CF Pollable mandatory............................ Disabled
 CF Poll Request mandatory........................ Disabled
 CFP Period....................................... 4
 CFP Maximum Duration............................. 60
 Default Channel.................................. 36
 Default Tx Power Level........................... 1
 DTPC  Status..................................... Enabled
 Fragmentation Threshold.......................... 2346
 TI Threshold..................................... -50
 Legacy Tx Beamforming setting.................... Enabled
 Traffic Stream Metrics Status.................... Disabled
 Expedited BW Request Status...................... Disabled
 World Mode....................................... Enabled
 EDCA profile type................................ default-wmm

Configure Coverage Hole Detection

In this post we will learn about CHD @RRM

Coverage holes are areas where clients can’t receive a signal from the wireless network. If clients on an AP are detected at low received signal strength indicator levels, Cisco lightweight APs send a coverage hole alarm to the cisco WCS/NCS or PI.

The RRM coverage hole detection algorithm can detect areas of radio coverage in a wireless LAN that are below the level needed for robust radio performance. This feature can alert us to the need for an additional (or relocation) lightweight access point.

If clients on a lightweight access point are detected at threshold levels lower than those specified in the RRM configuration, the access point sends a “coverage hole” alert to the controller. The alert indicates the existence of an area where clients are continually experiencing poor signal coverage, without having a viable access point to which to roam.

The controller uses the quality of client signal levels reported by the APs to determine if the power level of that AP needs to be increased. Coverage hole detection is controller independent, so the RF group leader is not involved in those calculations. The controller knows how many clients are associated with a particular AP and what the signal-to-noise ratio (SNR) values are for each client.

If a client SNR drops below the configured threshold value on the controller, the AP increases its power level to try to compensate for the client. The SNR threshold is based on the transmit power of the AP and the coverage profile settings on the controller.

The controller uses the following equation for detecting a coverage hole:

Client SNR Cutoff Value (ldB|) = [AP Transmit Power (dBm) – Constant (17 dBm) -Coverage Profile (dB)]

Depending on the number of clients that are at or below this value for longer than 60 seconds, coverage hole correction might be triggered, and the AP could increase its power level to try to remove the SNR violation.

If the AP is already at power level 1, it cannot increase the power any further, and clients at the edge of the cell coverage suffer a performance hit or disassociate altogether if the signal gets weak enough.

Aside from a real coverage hole, a client with a poor roaming logic might not roam to another AP as expected and be “sticky.” A sticky client can remain associated with an AP until the SNR is very low and triggers a false coverage hole detection.

The coverage hole algorithm also allows the network to heal itself if an AP fails. When a neighbor AP is lost, it increases the power of nearby APs as needed to compensate. Again, the increase in power for an AP is a gradual process, increasing the power one level at a time.

Configure Coverage Hole Detection

Login to WLC GUI, go to Wireless > 802.11a/n or 802.11b/g/n > RRM > Coverage


Enable Coverage Hole Detection check box to enable coverage hole detection, or unselect it to disable this feature.

Data/Voice RSSI text box, enter the minimum receive signal strength indication (RSSI) (It must be between -60 to -90 dBm and can be different for voice and data) value for data/voice packets received by the access point. The value that we enter is used to identify coverage holes within our network.

Min Failed Client Count per AP text box, the minimum number of clients on an access point with an RSSI value at or below the data or voice RSSI threshold. The range can be from 1 to 75, and default value is 3.

Coverage Exception Level per AP text box, the percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point. The range is 0 to 100%, and default value is 25%.

Note: Coverage hole detection is no longer a global setting and can be enabled or disabled on a per-WLAN basis: Coverage hole detection is enabled by default on the WLAN. One of the reasons we might want to disable this is because if we know a device is going to roam, it is advised that we enable the wireless on the device so that it can assist in finding coverage holes. Conversely, if several devices are stationary and have wireless as a backup, it would be advisable to disable this because we know the devices are not going to move and will not be able to provide intelligent information to help the coverage hole detection algorithm with its calculations.

Enable/Disable Coverage Hole Detection per WLAN basis: WLC software release 5.2 or later, we can disable coverage hole detection on a per-WLAN basis

Coverage hole detection is enabled by default on the WLAN.


Configure Dynamic Channel Assignment

In this post we will learn about DCA and it’s a really cool feature of RRM.

DCA is managed by RF Group Leader (How to define RF leader, we saw in one of my last post)

DCA used to determine the optimal AP channel based on these parameters.

Load: Percentage of time spent transmitting 802.11 frames

Noise: Measurement of non-802.11 signals on every serviced channel

Interference: Percentage of radio time used by neighbor 802.11 transmissions

Signal strength: Received signal strength indication (RSSI) measurement of the received neighbor messages

These values are then used by the Group Leader to determine if another channel schema will result in at least a bettering of the worst performing AP by 5dB (SNR) or in other words: Based on these metrics, if the worst performing AP will benefit by at least 5 dB or more, a channel change will take place. The decision to change the channel of an AP is also weighted to prevent a mass change within the RF group. We would not want to have a single AP change channel and have that change result in 20 other APs having to change their channel. The controller also takes into account how heavily an AP is used. A less utilized AP is more likely to have a channel change instead of a heavily used neighbor (isn’t it an interesting feature?). This helps mitigate client disassociations during a DCA event because a radio channel change disconnects all associated clients.

***Note: When an AP first boots up out the box, it transmits on channel 1 on the 802.11b/g radio and channel 36 for the 802.11a radio. The channels change according to any DCA adjustments if necessary. If a reboot occurs, the APs remain on the same channel they were using before the reboot until a DCA event occurs. If an AP is on channel 152 and reboots, it will continue to use channel 152 when it comes back up.

***Note: Radios using 40-MHz channels in the 2.4-GHz band or or 80MHz channels are not supported by DCA.

The RRM startup mode is invoked in the following conditions:

  • In a single-controller environment, the RRM startup mode is invoked after the controller is rebooted.
  • In a multiple-controller environment, the RRM startup mode is invoked after an RF Group leader is elected.

Configure DCA:

***We must disable 802.11a and b radio before changing the config. for DCA and then enable it again. Simplest way to enable/disable the radio is via CLI:

(WLAN1) >config 802.11a disable network
(WLAN1) >config 802.11a enable network

Go to Wireless > 802.11a/n or 802.11b/g/n > RRM > DCA



There is three type of Channel Assignment Method.

Channel Assignment Mode:

  • Automatic: This mode will cause the controller to periodically evaluate and, if necessary, update the channel assignment for all joined access points.
  • Freeze: It will Causes the controller to evaluate and update the channel assignment for all joined access points, but only when we click Invoke Channel Update Once.
  • OFF: Turns off DCA and sets all access point radios to the first channel of the band.

Avoid Foreign AP Interference:  It detect foreign AP and take into consideration while changing the channel.

Avoid Cisco AP Load: When its enabled then the AP load is taken into account before result in which AP will change the channel (least loaded AP will change the channel first.

Avoid Non-802.11a (802.11b) Noise: It cause the controller’s RRM algorithms to consider noise (non-802.11 traffic) in the channel when assigning channels to lightweight access points.

Avoid Persistent Non-Wi-Fi Interference:  Its enable the controller to ignore or avoid from persistent non-Wi-Fi interference.

Channel Assignment Leader: The IP address of the RF group leader, which is fully responsible for channel assignment.

Last Auto Channel Assignment: The last time RRM evaluated the current channel assignments.

DCA Channel Sensitivity: We have 3 levels (Low, Medium and High)

Channel Width:  depends on the 802.11a or b radios:  5GHz select 40MHz. In 2.4 GHz it will be 20MHz.

Avoid check for non-DFS channel: Enabled then the controller avoid checks for non-DFS channels. (Apply only for outdoor APs)

DCA Channel List: This option shows the selected channel on this radio.


Dont forget to enable both radios after changing the parameter in this section by using these commands 🙂

Office Extend AP

In this post we will learn how to setup an Office extend AP. In my example I am using the normal AP (2600 series).

Basic Info:

As its name indicates, it “extends” our wireless network to a remote home office. It provides to remote home workers with the same type of enterprise access they’d get within the corporate office.

Cisco has specific APs for this use and that’s oEAP600:

The Aironet 600 is a simultaneous dual-band access point providing both 2.4 and 5 Ghz radios. Hooks noted that by having a simultaneous radio, one can be used for personal use, while the other can be dedicated for corporate access, using separate SSIDs.

Cisco has released special Access Point series (OEAP 600 series) have 4 LAN ports. One port is for Remote-LAN, other 3 ports are for local LAN connectivity. For the corporate WLAN extended, max of 3 WLAN can be extended & max of 15 clients can be joined. Configuration wise OEAP is only requires WLC IP to be pre-configured.

OEAP tunnels back to a Cisco WLC with an IPsec VPN tunnel. One more interesting is it keeps enterprise access and authentication extended across the VPN without the need for any addition configuration.  OfficeExtend AP requires an internal Cisco Wireless LAN Controller.

As per Cisco best practices and proper security we need 2 WLCs (DMZ & Internal). 2nd WLC is normally placed into DMZ and must have a NAT address assigned to it with ports UDP 5246 and 5247 open to it.

We just need to prepare the AP with the public address set on the WLC and connect to our Fritzbox or DSL router. Once the AP comes up then we can use our corporate networks with all of their security requirements, without any VPN connection.

Remembering Points:

  1. Before connection to Frtiz box or DSL router it must be primed with WLC IP.
  2. Then connect the AP to Fritz box / DSL router and gets an IP address, joins to primed controller and it creates encrypted DTLS tunnel. Then we can use the all SSID which we normally used in our Office.
  3. We must enable the NAT on our WLC with correct IP address by using this command:
config network ap-discovery nat-ip-only enable


Configuration Guide:

I am using the 2600 series AP (At the moment CCIE LAB don’t have OEAP600 series)

In my case first I joined the AP to WLC as local mode. Once it’s connected we must have to change to Flexconnect/HREAP mode.

Wireless > All APs, select specific AP which we want to convert then go under General tab, select FlexConnect mode, click Apply. After that it will reboot.


Once it will come up as Flexconnect mode, we can see that there is one more tab “FlexConnect”.

Now to convert it to OEAP mode we must check Enable OfficeExtend AP box.


Just after selecting the box we can see that there are two prompts:

  1. Do you want to enable encryption –> Select OK
  1. Do you want to disable Rouge Detection –> Select OK

***If we choose the encryption enable then all traffic will be encrypted. (DTLS)

In my case I don’t have right license for DTLS so can’t encrypt this Tunnel.

Then click on Apply.

Now try to reach OEAP over web access: https://<ip address of AP>

It will ask about the username and password. After successful authentication of user, this page will appear:


Click on Enter


We can also create a Personal SSID. Traffic from this SSID will not go through DTLS tunnel.

Configuration > Check the Personal SSID box, enter the details and click Apply.


If want then we can also broadcast the specific WLANs from HQ to this by creating AP groups otherwise by default it will be default-group.

Other Info:

By default, the WLC will only respond with the NAT IP address during AP Discovery when NAT is enabled. If APs exist on the inside and outside of the NAT gateway, issue this command in order to set the WLC to respond with both the NAT IP address and Non-NAT (inside) Management IP address:

config network ap-discovery nat-ip-only disable

More info then please visit: OEAP Conifg Guide

Wired Guest Access with two WLC

In this post we will learn how to implement wired guest access with only two WLC.

DMZ and Internal WLC Scenario:

Here is my Topology:


Foreign WLC Configuration:

  1. Configure a dynamic interface (in my case: wiredguestin) for wired guest user access on foreign WLC.
  2. Create a WLAN and assign the Ingess interface to wiredguestin(created in last step) and egress interface to management.
  3. Assign Mobility anchor to WLAN.

Foreign WLC:

Step1: Create a wired interface on WLC2:


Step2: WLAN creation on WLC2:


Step3: Assign the mobility anchor for right WLAN:



Anchor WLC Configuration:

  1. Configure a normal dynamic interface(In my cast it is guest) in which we want to assign to have IP for guest.( already created )
  2. Create a wired LAN for guest user access.
  3. Assign the mobility anchor to self(Means local)
  4. Create a test users locally on WLC
  5. Verification

Anchor WLC (WLC1):

I have already created a guest interface on my WLC to have internet access.

Step1: Skip

Step2: Create a WLAN (Same as we did on WLC2-Foreign WLC). Make sure that here we assign the interface in which we want to put clients (In my case its guest)

Assign Ingress interface as None and Egress as guest


Step3: Assign Mobility anchor to self (Means local 🙂


Step4: Local guest user creation



Foreign WLC (WLC2):


Anchor WLC (WLC1):





Wired Guest Access Solution with Single WLC

In this post we will learn how to implement wired guest access with only one WLC.

A single WLAN controller (VLAN Translation mode) – the access switch trunks the wired guest traffic in the guest VLAN to the WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.

Here is my Topology:


To provide the wired guest access, the ports in the Layer 2 access layer switch must be configured on the guest VLAN. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller.

Switch Configuration:

interface FastEthernet0/10
description *** Wired Guest Access *** --> PC connected here
switchport access vlan 999
switchport mode access
interface range GigabitEthernet1/5-6
description *** WLC1 ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,17,999
switchport mode trunk
Channel-group 1 mode on

So let’s see the complete process. Mainly we need 5 steps to Configuring Wired Guest Access:

  1. Configure a dynamic interface (VLAN) for wired guest user access.(Ingress)
  2. Configure a normal dynamic interface in which we want to assign IP to guest.(Egress)
  3. Create a wired LAN for guest user access.
  4. Create a test users locally on WLC
  5. Verification

Step1: Configure a dynamic interface for wired Guest user access (Ingress)

We don’t need any IP and gateway for this VLAN on switch or anywhere.

On WLC1, create a dynamic interface VLAN999.

Go to Controller > Interfaces

In the interface configuration page, check the “Guest LAN” box. As soon as we check this box, fields such as IP address or gateway disappear. The only thing your WLC needs to know about this interface is that “there will be client traffic coming from VLAN 999.


Step2: Configure a normal dynamic interface in which we want to assign IP to guest. (Egress)

Create another dynamic interface where the wired guest clients receive an IP address.

In this example we have VLAN 17 for clients to get IP address named as guest.


Step3: Create a wired LAN for guest user access.

Add a new WLAN: Type must be “Guest LAN

WLAN > WLANs, and then Create New WLAN.

Enable the WLAN; map the ingress interface to the “vlan999” created in Step 1, and the egress interface to guest interface created in Step 2.




***Remember that Layer2 security is not supported in Wired LANs.


Then we will select layer 3 web authentications.


Here I am using Customized web auth.

Step 4: Create a local test user to testing.

Security > AAA > Local Net Users


That’s it for the configuration.

Step 5: Verification

Testing time:

Now we should connect a Laptop/PC to port Fa0/10 which is in VLAN 999 and see what happens there. I got the IP in VLAN17 (Guest interface):

If you have correct DNS resolution then a pop webpage will appear otherwise we have to manually open our WLC virtual interface ( There we have to use the credential created in Step 4.