AAA Override on Anchored WLANs
Hi,
Is it possible to create an anchored WLAN using 802.1x and use AAA override to dynamically change the VLAN clients are put in on the anchor WLC?
I am assuming not but can't hurt to ask!
Thanks,
No:) the reason is that the foreign WLC does the encryption/decryption, so it would have to be done there without anchor. You wouldn't be able to change the vlan id from an anchor WLC.
Sent from Cisco Technical Support iPhone App
Similar Messages
-
AAA Override - QOS above what's set on WLAN
Hey guys, I think I already know the answer but thought I'd run this by the community. I'm working on configuring a PEAP secured WLAN that will be shared by our Data and VoIP wireless. Right now the WLAN's QOS is set at Silver and I'm using AAA Override to set the Cisco 7925s on our voip interface and set the QOS level to Platinum. The problem is that I'm getting tons of the following errors:
VoIP Call Failure: '44:2b:03:xx:xx:xx' client, detected by 'xxxxxxx' AP on radio type '802.11a'. Reason: 'Call failed: TSPEC QOS Policy does not match'.
If I change this WLAN's QOS to Platinum the error goes away. My thought is that I may have to configure the default QOS to Platinum and override all other devices to Silver - I'd rather not do this as more devices are affected by that change. If anyone knows or has run into something that I might be missing I'd be happy to listen to any suggestions.
Thanks all!Well whatever you set the WLAN QoS level, that is the highest allowed on the WLAN. You can't mark WMM higher but you can limit it. So set your QoS level as Platinum and make sure you drop the QoS value on non voice clients to bronze.
Sent from Cisco Technical Support iPhone App -
Hi,
I need a solution for that scenario:
- one SSID
- AP is HREAP-capable
- Authentication via EAP-TLS with radius server
Depending on the radius-feetback (aaa-override) the client should work in a HREAP-VLAN or over the WLC.
I only found a fix configuration for
SSID <--> HREAP-VLAN.
ThanksI don't think such a scenario is possible. The radius server can be used to dictate which WLAN the Wireless user will use but cannot dictate whether the user will use HREAP mode or the normal mode. That configuration needs to be done on the controller on a per SSID basis.
-
Hi!
The current desing of network needed the follow:
All branch must have single corporate SSID. Users in branch must be split by functionality in different vlans.
Corporate SSID must be switched local.
Does is flex connect with AAA override have ability to mapped one SSID to multiple vlans?
I can't get confirmation of this from documentation. All examples explain how to map single ssid
to single_vlan
Thanks for answers!Yes, you can use AAA Override to assign the VLAN in FlexConnect Mode. Below is a link to the Configuration guide.
http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_01110.html#d174972e3765a1635
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
hi,
I am trying to setup a guest WLAN using a local controller and a controller in my DMZ using the mobility-anchor configuration.
Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
Local Controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest" - assigned it to the management interface.
Have tried the following with regards to DHCP on this WLAN.
Set it to "override" and specified the DMZ controller's mangement interface
Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management interface
Left DHCP server blank on the local controller's management interface
Setup the DMZ controller as the mobility anchor for the "guest" WLAN
DMZ controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest"
Created a dynamic interface called "guest" associated to the "guest" WLAN
Setup mobility anchor for the "guest" interface, mobility-anchor = local controller
Created an internal DHCP server scope and enabled it
Have tried the following with regards to DHCP on the "guest" WLAN
Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest" dynamic interface
Set DHCP to "assignment required" and specified the IP address of the controllers "guest" dynamic interface as the DHCP server on the "guest" dynamic interface
Set DHCP to "override" and specified the DMZ controller's management interface IP
Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
After all this, my client still cannot get an IP address via DHCP. I verfiied the client is associating to the AP.
Any help would be appreciated.
Thanks
Leeon the DMZ controller, what is the output of a debug client < mac address of the client> You may also want to capture debug mobility handoff enable, from both WLC.
For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC. One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled. -
WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment
WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation. This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem Cleartext-Password userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{ default_eap_type = peap ..... }
tls {
#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
default_eap_type = mschapv2
#you will have to set this to allowed the inner tls tunnel attributes into the final accept message
use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{ ldap mschap ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" \#If you want to verify the Server certificate the below would be needed \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123 -
Override centrally switched WLAN
Hello.
I need some advice on configuring a guest access for several remote sites on a 5508 WLC.
I set up a guest WLAN which is centrally switched and authenticated. That works fine for the main location and most of the remote sites. My problem is now, that for some ( but not all ) remote sites, this WLAN has to be locally switched because of a different law situation. The access points in the remote sites are already configured as FlexConnect access points.
Is there a way to override the central switching for some remote sites?
Thanks in advance!
SvenSven,
you can do this by configuring additional WLAN Profiles which contain the same SSIDs like your existing ones, but use local switching instead of central switching. You should use WLAN numbers > 16 so that the new profiles are not in the default group, then create a new ap group, configure your new profiles and add your APs.
Let us know if you need a more detailed how-to.
Regards
Stefan -
Dear Team, i have a Controller based Installation with 802.1x Auth via ACSSE and AD. The Controllers running 4.2.173.0. 2 ACSSE are configured. Since a few Days we see Problems with Client Authentication. The WLC Log shows, that the WLAN toggles between the 2 Radius Servers:
84 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.xx:1812 activated on WLAN 2
85 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 deactivated on WLAN 2
86 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 failed to respond to request (ID 148) for client <Client-MAC> / user 'unknown'
Does anyone know, under which Conditions, Timeout etc the WLAN changes the Radius Server? Since we dont run 5.x , we cant use the dedicated Radius Fallback Feature. Has anyone seen this Problem? Regards, MichaelAfter working with TAC, I resolved this issue recently. Increasing the timeout value did not help. On the WLC, try:
config radius aggressive-failover disable
As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server. -
Controllers not re-directing client requests to ISE
Please find attached a simple BYOD/ISE document I uploaded to kick start my new Wireless setup. Its all configured on my ISE sever and Controller as per doc.
My setup:
3600 AP's
Internal 5508 Controller
DMZ 5508 Controller (acts as a DHCP server for wireless clients)
Controllers have established connectivity (mobility acnhors), as a client I can connect fine to my new SSID get a DHCP IP address back from DMZ WLC and at the moment can connect out to the Internet fine (using no WLAN Security as a test). So this part is working.
I have now followed the document configured ISE, enabled AAA on the Internal WLC only and used the AAA override setting on WLAN as in the attached document.
I connect to SSID expecting to be redirected to my ISE Guest Portal, nothing happens other than connecting to Internet WebPages.
My question is, if I have followed this document correctly why is the Internal WLC not redirecting client requests to ISE, is this because my mobility anchors need to be re-configured, perhaps the AAA/ISE config needs to be applied to my DMZ WLC not internal WLC?
I would prefer the Internal WLC to redirect the login to ISE, doesn't make sense to traverse through the DMZ Firewall onto DMZ WLC back into the Internal Network again to the ISE to authenticate.
Or am I missing something additionally to this document to make sure clients are directed to the ISE Guest portal login.After you configure web authentication, if the feature does not work as expected, complete these troubleshooting steps:
Check if the client gets an IP address. If not, users can uncheck DHCP Required on the WLAN and give the wireless client a static IP address. This assumes association with the access point. Refer to the IP addressing issues section of Troubleshooting Client Issues in the Cisco Unified Wireless Network for troubleshooting DHCP related issues.
On WLC versions earlier than 3.2.150.10, you must manually enter https://1.1.1.1/login.html in order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client connects to a WLAN configured for web authentication, the client obtains an IP address from the DHCP server. The user opens a web browser and enters a website address. The client then performs the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web authentication login page.
Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On Windows, choose Start > Run, enter CMD in order to open a command window, and do a “nslookup www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a “nslookup www.cisco.com" and see if the IP address comes back.
If you believe the client is not getting DNS resolution, you can either:
Enter either the IP address of the URL (for example, http://www.cisco.com is http://198.133.219.25)
Try to directly reach the controller's webauth page with https:///login.html. Typically this is http://1.1.1.1/login.html.
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also be a certificate problem. The controller, by default, uses a self-signed certificate and most web browsers warn against using them.
For web authentication using customized web page, ensure that the HTML code for the customized web page is appropriate.
You can download a sample Web Authentication script from Cisco Software Downloads. For example, for the 4400 controllers, choose Products > Wireless > Wireless LAN Controller > Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication Bundle-1.0.1 and download the webauth_bundle.zip file.
These parameters are added to the URL when the user's Internet browser is redirected to the customized login page:
ap_mac—The MAC address of the access point to which the wireless user is associated.
switch_url—The URL of the controller to which the user credentials should be posted.
redirect—The URL to which the user is redirected after authentication is successful.
statusCode—The status code returned from the controller's web authentication server.
wlan—The WLAN SSID to which the wireless user is associated.
These are the available status codes:
Status Code 1: "You are already logged in. No further action is required on your part."
Status Code 2: "You are not configured to authenticate against web portal. No further action is required on your part."
Status Code 3: "The username specified cannot be used at this time. Perhaps the username is already logged into the system?"
Status Code 4: "You have been excluded."
Status Code 5: "The User Name and Password combination you have entered is invalid. Please try again."
All the files and pictures that need to appear on the Customized web page should be bundled into a .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is login.html. You receive this error message if you do not include the login.html file:
Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web Authentication Configuration Example for more information on how to create a customized web authentication window.
Note: Files that are large and files that have long names will result in an extraction error. It is recommended that pictures are in .jpg format.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication. Other browsers may or may not work.
Ensure that the Scripting option is not blocked on the client browser as the customized web page on the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
Note: The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up messages for the user.
Note: If you browse to an https site, redirection does not work. Refer to Cisco bug ID CSCar04580 (registered customers only) for more information.
If you have a host name configured for the virtual interface of the WLC, make sure that the DNS resolution is available for the host name of the virtual interface.
Note: Navigate to the Controller > Interfaces menu from the WLC GUI in order to assign a DNS hostname to the virtual interface.
Sometimes the firewall installed on the client computer blocks the web authentication login page. Disable the firewall before you try to access the login page. The firewall can be enabled again once the web authentication is completed.
Topology/solution firewall can be placed between the client and web-auth server, which depends on the network. As for each network design/solution implemented, the end user should make sure these ports are allowed on the network firewall.
Protocol Port
HTTP/HTTPS Traffic
TCP port 80/443
CAPWAP Data/Control Traffic
UDP port 5247/5246
LWAPP Data/Control Traffic (before rel 5.0)
UDP port 12222/12223
EOIP packets
IP protocol 97
Mobility
UDP port 16666 (non secured) UDP port 16667 (secured IPSEC tunnel)
For web authentication to occur, the client should first associate to the appropriate WLAN on the WLC. Navigate to the Monitor > Clients menu on the WLC GUI in order to see if the client is associated to the WLC. Check if the client has a valid IP address.
Disable the Proxy Settings on the client browser until web authentication is completed.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the RADIUS server for this to work. In order to check the status of client authentication, check the debugs and log messages from the RADIUS server. You can use the debug aaa all command on the WLC to view the debugs from the RADIUS server.
Update the hardware driver on the computer to the latest code from manufacturer's website.
Verify settings in the supplicant (program on laptop).
When you use the Windows Zero Config supplicant built into Windows:
Verify user has latest patches installed.
Run debugs on supplicant.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start > Run > CMD:
netsh ras set tracing eapol enable
netsh ras set tracing rastls enable
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs will be located in C:\Windows\tracing.
If you still have no login web page, collect and analyze this output from a single client:
debug client
debug dhcp message enable
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable
If the issue is not resolved after you complete these steps, collect these debugs and use the TAC Service Request Tool (registered customers only) in order to open a Service Request.
debug pm ssh-appgw enable
debug pm ssh-tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh-engine enable packet -
WLC, FlexConnect, ISE: Dynamic VLAN not working
Hi,
Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
Equipment:
WiSM2 7.2.111.3
ISE 1.1.1.268
AP 3502 in FlexConnect
What I want to achive:
One SSID, multiple VLAN
Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
Problem:
When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
WLC config (I know you like images so here you go ):
I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
When the client connects I get three events in ISE:
1.
Authentication failed :
22056 Subject not found in the applicable identity store(s)
2. Authentication Success. With the results:
UserName=00:18:DE:A2:BC:3A
User-Name=00-18-DE-A2-BC-3A
State=ReauthSession:c20e8b2f0000027e50ed27f8
Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
Termination-Action=RADIUS-Request
Tunnel-Type=(tag=1) VLAN
Tunnel-Medium-Type=(tag=1) 802
Tunnel-Private-Group-ID=(tag=1) 158
cisco-av-pair=profile-name=AX-Intel-Device
3.
Dynamic Authorization failed :
11213 No response received from Network Access Device
Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
Regards,
PhilipI think you're hitting CSCua58554
The bugtoolkit description is horrible.... From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based). In general, AAA override works fine when it is from like an eap authentication.
We had to use a 7.3 ES to resolve it.....
Looks like it is implemented in 7.4 though..... If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3, don't think they have a 7.2 build. -
Mobility Anchor and AAA Overide VLAN Assignment
Hello,
I read some document 2 years ago that dynamic VLAN assignment was not possible with Anchored WLANs. Please I would like to know if this is now possible. The network setup would be as follows:
1. Foreign and Anchor WLC (5508) with single SSID for both guest and internal users
2. Cisco ISE 1.2 performing AAA override with VLAN tag based on AD group. Guest will go to VLAN for guest after web authentication.
Please a speedy response would be helpful.Hi grabonlee,
We have been running an anchor with VLAN override for out Guest services. Works well. VLAN needs to be defined on both the anchor and foreign. We are running 7.6.120 code. -
Layer 2 security with WLAN auto-anchor mobility
Hello,
I was wondering if Layer 2 security can be used with auto-anchored WLANs.
I need to deploy two new isolated WLANs which will terminate in two DMZ environments.
I was hoping to use the existing WCS-managed infrastructure with 4404 and 4402 WLCs and just throw on a couple more WLANs.
However, I've built a little test environment and while I can get the new VLAN traffic tunneled and origininating from the correct anchor controller with no layer 2 security - as soon as I turn on WEP or WPA security options it stops working. I can't find anything in documents or this forum to show auto-anchor mobility with anyhing other than unsecured guest WLANs.
Am I trying to do somethng unsupported or is it just an error on my part?Hi Greg,
no, the users are internal so I only want to use L2 security. I can't see that L3 should be a problem to add on though. I'm using 3.2.x of the WLC code - so there is no "Guest LAN" mode - I was playing with the new versions and it looks like L2 security is disabled in that mode?
If you want to see how I got my bit working I would be happy to share my doco when I'm done.
regards,
Aaron -
AP group vs WLAN override interface priority
Hi,
SW version 4.2.207.0
Which interface(VLAN ID) of SSID has priority while AP is configured with WLAN override?
One configured in AP group or one configured in WLAN SSID.
Example:
LAP1 is in AP group with SSID1 to interface VLAN2 mapping
WLAN SSID1 has mapping to interface VLAN3
LAP1 has WLAN override enable for SSID1.
Clients connected to LAP1 will be in VLAN2 or VLAN3?
Thanks for clarifying.clients will be connecting to VLAN3. WLAN overrides what WLAN needs to be enabled/broadcasted on specific AP while AP group overrides WLAN to VLAN mappings.
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1127323
Configuring WLAN Override
By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN override option to select which WLANs are transmitted and which are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted, or you can use it to disable a specific WLAN in a certain area of the network.
Configuring Access Point Groups
In a typical deployment, all users on a WLAN are mapped to a single interface on the controller. Therefore, all users associated with that WLAN are on the same subnet or VLAN. However, you can override this default WLAN setting to distribute the load among several interfaces or to group users based on specific criteria such as individual departments (for example, marketing) by creating access point groups (formerly known as site-specific VLANs). Additionally, these access point groups can be configured in separate VLANs to simplify network administration
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
AP Group VLANs with Wireless LAN Controllers Configuration Example -
Not able to form EoIP tunnel with anchor WLC
Hi all,
I have a WLC at a remote site that is supposed to form an EoIP tunnel with 2 anchor WLCs located at a data center. From the site WLC and the anchor WLCs, the mobility show UP on both ends. Also I can ping to the mobility peers from each end. However, when I look into the client details on the remote site WLC, there is no Mobility Anchor IP address, which tells me that the EoIP tunnel between the site and anchor controller is not forming for some reason. Any idea what I could be missing?
(WOHW-WC01) >show client detail 0c:3e:9f:ab:db:ed
Client MAC Address............................... 0c:3e:9f:ab:db:ed
Client Username ................................. N/A
AP MAC Address................................... 0c:68:03:b9:44:70
AP Name.......................................... WOHW-LAP016
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 66
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 0c:68:03:b9:44:72
Connected For ................................... 1469 secs
Channel.......................................... 6
IP Address....................................... Unknown
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
IPv6 Address..................................... fe80::1c1a:e07c:dd48:bc7e
Association Id................................... 3
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... No CCX support
QoS Level........................................ Bronze
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 9.0,12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... None
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. STATICIP_NOL3SEC
>>> No Mobility peer IP address <<<<
(WOHW-WC01) >show mobility anchor wlan 66
Mobility Anchor Export List
WLAN ID IP Address Status
66 137.183.242.149 Up
66 137.183.242.150 Up
(WOHW-WC01) >show mobility sum
Mobility Architecture ........................... Flat
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... WOHW_ENT1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x9cbf
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
bc:16:65:f9:18:60 137.183.242.150 CIN_GUEST1 0.0.0.0 Up
e0:2f:6d:7c:42:20 143.27.201.52 WOHW_ENT1 0.0.0.0 Up
f8:72:ea:ee:a0:00 137.183.242.149 CIN_GUEST1 0.0.0.0 UpIt works now. I changed the NAC state to "Radius-NAC". Now the mobility hand-off is occurring.
(WOHW-WC01) >show wlan 66
WLAN Identifier.................................. 66
Profile Name..................................... PGGuest
Network Name (SSID).............................. PGGuest
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Enabled -
WLC Applying cached RADIUS Override values for mobile
Hello!
We have a WiSM2 (version 7.4.110.0) with approx 200 APs. We are doing RADIUS authentication via a PacketFence backend. Everything usually works fine, but we are having an intermittent issue...
The WiSM2 gets its VLAN assignment for a client from the PacketFence server and does AAA override. If a client has not registered their device, go on one VLAN. Once they register, PacketFence disconnects them via RADIUS to the WiSM2, and then they should get their new VLAN assignment. This works fine in the majority of cases, but occasionally, after registering, the client disconnects and reconnects but is still put back on registration VLAN.
debug client mac shows this in the logs:
Applying cached RADIUS Override values for mobile 00:25:56:3d:f6:7b (caller pem_api.c:2210)
And I do not see the WiSM2 asking the PacketFence server for a VLAN assignment in the PacketFence logs.
Eventually, if the client stays disconnected long enough (5+ minutes), they can reconnect and get the proper VLAN assignment. I had previously opened a TAC about this, and they suggested a WiSM2 software upgrade and setting the Session Timeout on the WLAN to 900 seconds, which I did. This issue then disappeared for several weeks, but it has started happening again today (we saw it happen to about 15 clients throughout the day).
Anyone have any ideas on why this is happening, and how to stop the caching? Any thoughts would be greatly appreciated.
Here is the output from a show wlan of one of our WLANs we have seen this on:
WLAN Identifier.................................. 2
Profile Name..................................... BlitzNet
Network Name (SSID).............................. BlitzNet
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 538
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 900 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... WISM2_SDC
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ blitznet
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ ipofradiusserver 1812
Accounting.................................... Global Servers
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Disabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. DisabledThere is nothing in the RADIUS server logs. It is as if the WiSM2 does not talk to it for the 2nd request. The flow for a problem client is like this:
1. New client associates
2. WiSM asks RADIUS server for VLAN
3. RADIUS Server hasn't seen it, so it puts it on VLAN 84 (our registration VLAN)
4. Client goes through captive portal
5. RADIUS server sends disconnect client message to WiSM
6. Client disconnects, reconnects
7. WiSM2 puts it back on VLAN 84, when it should put it on a VLAN determined by the SSID. The WiSM2 never asks the RADIUS server for the VLAN again, until the client has stayed disconnected for 5+ minutes, and I see the message in the wism2 log that I wrote above.
In the vast majority of cases, step 7 works properly. That is, when the client reconnects, it asks the RADIUS server what VLAN to put it on (I see it in the RADIUS server logs). I see the second request come in, and the RADIUS server replies with appropriate VLAN for the SSID.
After they get their proper VLAN, this doesn't occur again. It is as if the RADIUS server caches the client's VLAN override attribute somewhere and uses that, rather than asking the RADIUS server.
Maybe you are looking for
-
[Migrated from the Syclo Resource Center] prashanthi_vangala 01/03/2012 06:44, Hi,I am working on Agentry 5.4.0I have a list screen where for one of the columns I have a rule to display images ( I use checked and unchecked images ). Earlier the ima
-
I am using a trial version of lightroom 5
Hi I am using a trial version of five. I completed my work on 12 images and exported the images to a hard drive for printing. a export result block appears with this notation. NO RENDERED PHOTO EXISITS ON DISK (2} the last two images have failed to
-
Dell 2405FPW stuck in Power Save with MacMini (PPC w/ATI Raedon 9200)
I'm wondering if anyone is having any problems with their Dell 2xxxFPW monitors (specifically the 2405FPW) getting stuck in Power Save mode. This is a known problem with some Dell monitors. More details can be found here: http://forums.us.dell.com/su
-
Archivelog Source Directory in Standby Database
Hi Guys I created a standby database yesterday and everything is working correctly. I need to make some tweaks, however, and one of those is the directory that the standby database expects the archivelogs to be. I found that the archivelogs were bei
-
[nQSError: 17012] Bulk fetch failed. (HY000)
Hi All, Some times my report through's the following error message: ORA-03135: Attached the query which results into an error after running for 31 minutes. Below is the error: State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058]