AAA Override on Anchored WLANs

Similar Messages

• AAA Override - QOS above what's set on WLAN

  Hey guys, I think I already know the answer but thought I'd run this by the community.  I'm working on configuring a PEAP secured WLAN that will be shared by our Data and VoIP wireless.  Right now the WLAN's QOS is set at Silver and I'm using AAA Override to set the Cisco 7925s on our voip interface and set the QOS level to Platinum.  The problem is that I'm getting tons of the following errors:
  VoIP Call Failure: '44:2b:03:xx:xx:xx' client, detected by 'xxxxxxx' AP on radio type '802.11a'. Reason: 'Call failed: TSPEC QOS Policy does not match'.
  If I change this WLAN's QOS to Platinum the error goes away.  My thought is that I may have to configure the default QOS to Platinum and override all other devices to Silver - I'd rather not do this as more devices are affected by that change.  If anyone knows or has run into something that I might be missing I'd be happy to listen to any suggestions.
  Thanks all!

  Well whatever you set the WLAN QoS level, that is the highest allowed on the WLAN. You can't mark WMM higher but you can limit it. So set your QoS level as Platinum and make sure you drop the QoS value on non voice clients to bronze.
  Sent from Cisco Technical Support iPhone App

• H-REAP and AAA-override

  Hi,
  I need a solution for that scenario:
  - one SSID
  - AP is HREAP-capable
  - Authentication via EAP-TLS with radius server
  Depending on the radius-feetback (aaa-override) the client should work in a HREAP-VLAN or over the WLC.
  I only found a fix configuration for
  SSID <--> HREAP-VLAN.
  Thanks

  I don't think such a scenario is possible. The radius server can be used to dictate which WLAN the Wireless user will use but cannot dictate whether the user will use HREAP mode or the normal mode. That configuration needs to be done on the controller on a per SSID basis.

• Flex and aaa override

  Hi!
  The current desing of network needed the follow:
  All branch must have single corporate SSID. Users in branch must be split by functionality in different vlans.
  Corporate SSID must be switched local.
  Does is flex connect with AAA override have ability to mapped one SSID to multiple vlans?
  I can't get confirmation of this from documentation. All examples explain how to map single ssid
  to single_vlan
  Thanks for answers!

  Yes, you can use AAA Override to assign the VLAN in FlexConnect Mode.  Below is a link to the Configuration guide.
  http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_01110.html#d174972e3765a1635
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Guest anchor WLAN and DHCP

  hi,
  I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
  Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
  Local Controller config
  Configured mobility-groups, verified mobility group is working
  Created WLAN called "guest" - assigned it to the management interface.
  Have tried the following with regards to DHCP on this WLAN.
       Set it to "override" and specified the DMZ controller's mangement interface
       Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
       Left DHCP server blank on the local controller's management interface
  Setup the DMZ controller as the mobility anchor for the "guest" WLAN
  DMZ controller config
  Configured mobility-groups, verified mobility group is working
  Created WLAN called "guest"
  Created a dynamic interface called "guest" associated to the "guest" WLAN
  Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
  Created an internal DHCP server scope and enabled it
  Have tried the following with regards to DHCP on the "guest" WLAN
       Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
       Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
       Set DHCP to "override" and specified the DMZ controller's management interface IP
       Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
  After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
  Any help would be appreciated.
  Thanks
  Lee

  on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
  For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
  while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

• WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

  WLC 5508: software version 7.0.98.0
  Windows 7 Client
  Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
  I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
  However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
  AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
  AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
  AVP: l=6  t=Tunnel-Type(64): VLAN(13)
  I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

  Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
  The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
  Install Packages
  1.  Install needed packages.
  yum install openldap*
  yum install freeradius*
  2.  Set the services to automatically start of system startup
  chkconfig --level 2345 slapd on
  chkconfig --level 2345 radiusd on
  Configure and start LDAP
  1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
  cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
  2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
  slappasswd
  3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
  useradd ldap
  groupadd ldap
  4.  Create the directory and assign permissions for the database files
  mkdir /var/lib/ldap
  chmod 700 /var/lib/ldap
  chown ldap:ldap /var/lib/ldap
  5.  Edit the slapd.conf file.
  cd /etc/openldap
  vi slapd.conf
  # See slapd.conf(5) for details on configuration options.
  # This file should NOT be world readable.
  #Default needed schemas
  include        /etc/openldap/schema/corba.schema
  include        /etc/openldap/schema/core.schema
  include        /etc/openldap/schema/cosine.schema
  include        /etc/openldap/schema/duaconf.schema
  include        /etc/openldap/schema/dyngroup.schema
  include        /etc/openldap/schema/inetorgperson.schema
  include        /etc/openldap/schema/java.schema
  include        /etc/openldap/schema/misc.schema
  include        /etc/openldap/schema/nis.schema
  include        /etc/openldap/schema/openldap.schema
  include        /etc/openldap/schema/ppolicy.schema
  include        /etc/openldap/schema/collective.schema
  #Radius include
  include        /etc/openldap/schema/radius.schema
  #Samba include
  #include        /etc/openldap/schema/samba.schema
  # Allow LDAPv2 client connections.  This is NOT the default.
  allow bind_v2
  # Do not enable referrals until AFTER you have a working directory
  # service AND an understanding of referrals.
  #referral    ldap://root.openldap.org
  pidfile        /var/run/openldap/slapd.pid
  argsfile    /var/run/openldap/slapd.args
  # ldbm and/or bdb database definitions
  #Use the berkely database
  database    bdb
  #dn suffix, domain components read in order
  suffix        "dc=cisco,dc=com"
  checkpoint    1024 15
  #root container node defined
  rootdn        "cn=Manager,dc=cisco,dc=com"
  # Cleartext passwords, especially for the rootdn, should
  # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
  # Use of strong authentication encouraged.
  # rootpw        secret
  rootpw      
  {SSHA}
  cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
  # The database directory MUST exist prior to running slapd AND
  # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
  # Mode 700 recommended.
  directory    /var/lib/ldap
  # Indices to maintain for this database
  index objectClass                       eq,pres
  index uid,memberUid                     eq,pres,sub
  # enable monitoring
  database monitor
  # allow onlu rootdn to read the monitor
  access to *
           by dn.exact="cn=Manager,dc=cisco,dc=com" read
           by * none
  6.  Remove the slapd.d directory
  cd /etc/openldap
  rm -rf slapd.d
  7.  Hopefully if everything is correct, should be able to start up slapd with no problem
  service slapd start
  8.  Create the initial database in a text file called /tmp/initial.ldif
  dn: dc=cisco,dc=com
  objectClass: dcobject
  objectClass: organization
  o: cisco
  dc: cisco
  dn: ou=people,dc=cisco,dc=com
  objectClass: organizationalunit
  ou: people
  description: people
  dn: uid=jonatstr,ou=people,dc=cisco,dc=com
  objectClass: top
  objectClass: radiusprofile
  objectClass: inetOrgPerson
  cn: jonatstr
  sn: jonatstr
  uid: jonatstr
  description: user Jonathan Strickland
  radiusTunnelType: VLAN
  radiusTunnelMediumType: 802
  radiusTunnelPrivateGroupId: 10
  userPassword: ggsg
  9.  Add the file to the database
  ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
  10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
  ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
  Configure and Start FreeRadius
  1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
  cd /etc/raddb
  vi ldap.attrmap
  For dynamic vlan assignments, verify the follow lines exist:
  replyItem    Tunnel-Type                                   radiusTunnelType
  replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
  replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
  Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
  checkItem    Cleartext-Password    userPassword
  2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
  eap
  {      default_eap_type = peap      .....  }
  tls {
      #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
  peap {
      default_eap_type = mschapv2
      #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
      use_tunneled_reply = yes
  3.  Change the authenication and authorization modules and order.
  cd /etc/raddb/sites-enabled
  vi default
  For the authorize section, uncomment the ldap module.
  For the authenicate section, uncomment the ldap module
  vi inner-tunnel
  Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
  authorize
  {      ldap      mschap      ......  }
  4.  Configure ldap module
  cd /etc/raddb/modules
  ldap
  {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
  5.  Start up radius in debug mode on another console
  radiusd -X
  6.  radtest localhost 12 testing123
  You should get a Access-Accept back
  7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
  First install openssl support libraries, required to compile
  yum install openssl*
  yum install gcc
  wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
  tar xvf wpa_supplicant-0.6.10.tar.gz
  cd wpa_supplicant-0.6.10/wpa_supplicant
  vi defconfig
  Uncomment CONFIG_EAPOL_TEST = y and save/exit
  cp defconfig .config
  make eapol_test
  cp eapol_test /usr/local/bin
  chmod 755 /usr/local/bin/eapol_test
  8.  Create a test config file named eapol_test.conf.peap
  network=
  {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
  9.  Run the test
  eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

• Override centrally switched WLAN

  Hello.
  I need some advice on configuring a guest access for several remote sites on a 5508 WLC.
  I set up a guest WLAN which is centrally switched and authenticated. That works fine for the main location and most of the remote sites. My problem is now, that for some ( but not all ) remote sites, this WLAN has to be locally switched because of a different law situation. The access points in the remote sites are already configured as FlexConnect access points.
  Is there a way to override the central switching for some remote sites?
  Thanks in advance!
  Sven

  Sven,
  you can do this by configuring additional WLAN Profiles which contain the same SSIDs like your existing ones, but use local switching instead of central switching. You should use WLAN numbers > 16 so that the new profiles are not in the default group, then create a new ap group, configure your new profiles and add your APs.
  Let us know if you need a more detailed how-to.
  Regards
  Stefan

• AAA Servers toggles per WLAN

  Dear Team, i have a Controller based Installation with 802.1x Auth via ACSSE and AD. The Controllers running 4.2.173.0. 2 ACSSE are configured. Since a few Days we see Problems with Client Authentication. The WLC Log shows, that the WLAN toggles between the 2 Radius Servers:
  84 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.xx:1812 activated on WLAN 2
  85 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 deactivated on WLAN 2
  86 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 failed to respond to request (ID 148) for client <Client-MAC> / user 'unknown'
  Does anyone know, under which Conditions, Timeout etc the WLAN changes the Radius Server? Since we dont run 5.x , we cant use the dedicated Radius Fallback Feature. Has anyone seen this Problem? Regards, Michael

  After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
  config radius aggressive-failover disable
  As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
  If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
  In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

• Controllers not re-directing client requests to ISE

  Please find attached a simple BYOD/ISE document I uploaded to kick start my new Wireless setup. Its all configured on my ISE sever and Controller as per doc.
  My setup:
  3600 AP's
  Internal 5508 Controller
  DMZ 5508 Controller (acts as a DHCP server for wireless clients)
  Controllers have established connectivity (mobility acnhors), as a client I can connect fine to my new SSID get a DHCP IP address back from DMZ WLC and at the moment can connect out to the Internet fine (using no WLAN Security as a test). So this part is working.
  I have now followed the document configured ISE, enabled AAA on the Internal WLC only and used the AAA override setting on WLAN as in the attached document.
  I connect to SSID expecting to be redirected to my ISE Guest Portal, nothing happens other than connecting to Internet WebPages.
  My question is, if I have followed this document correctly why is the Internal WLC not redirecting client requests to ISE, is this because my mobility anchors need to be re-configured, perhaps the AAA/ISE config needs to be applied to my DMZ WLC not internal WLC?
  I would prefer the Internal WLC to redirect the login to ISE, doesn't make sense to traverse through the DMZ Firewall onto DMZ WLC back into the Internal Network again to the ISE to authenticate.
  Or am I missing something additionally to this document to make sure clients are directed to the ISE Guest portal login.

  After you configure web authentication, if the feature does not work as       expected, complete these troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck             DHCP Required on the WLAN and give the wireless client a             static IP address. This assumes association with the access point. Refer to the             IP addressing issues section of Troubleshooting             Client Issues in the Cisco Unified Wireless Network for troubleshooting DHCP             related issues.
  On WLC versions earlier than 3.2.150.10, you must manually enter             https://1.1.1.1/login.html in order to navigate to the web             authentication window.
  The next step in the process is DNS resolution of the URL in the             web browser. When a WLAN client connects to a WLAN configured for web             authentication, the client obtains an IP address from the DHCP server. The user             opens a web browser and enters a website address. The client then performs the             DNS resolution to obtain the IP address of the website. Now, when the client             tries to reach the website, the WLC intercepts the HTTP Get session of the             client and redirects the user to the web authentication login page.
  Therefore, ensure that the client is able to perform DNS resolution             for the redirection to work. On Windows, choose Start >             Run, enter CMD in order to open a command window, and             do a “nslookup www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a “nslookup             www.cisco.com" and see if the IP address comes back.
  If you believe the client is not getting DNS resolution, you can             either:
  Enter either the IP address of the URL (for example,                 http://www.cisco.com is http://198.133.219.25)
  Try to directly reach the controller's webauth page with                 https:///login.html. Typically this is                 http://1.1.1.1/login.html.
  Does entering this URL bring up the web page? If yes, it is most             likely a DNS problem. It might also be a certificate problem. The controller,             by default, uses a self-signed certificate and most web browsers warn against             using them.
  For web authentication using customized web page, ensure that the             HTML code for the customized web page is appropriate.
  You can download a sample Web Authentication script from             Cisco Software             Downloads. For example, for the 4400 controllers, choose             Products > Wireless > Wireless LAN Controller > Standalone             Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404             Wireless LAN Controller > Software on Chassis > Wireless Lan Controller             Web Authentication Bundle-1.0.1 and download the             webauth_bundle.zip file.
  These parameters are added to the URL when the user's Internet             browser is redirected to the customized login page:
  ap_mac—The MAC address of the access point to which the wireless                 user is associated.
  switch_url—The URL of the controller to which the user                 credentials should be posted.
  redirect—The URL to which the user is redirected after                 authentication is successful.
  statusCode—The status code returned from the controller's web                 authentication server.
  wlan—The WLAN SSID to which the wireless user is                 associated.
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is                 required on your part."
  Status Code 2: "You are not configured to authenticate against                 web portal. No further action is required on your part."
  Status Code 3: "The username specified cannot be used at this                 time. Perhaps the username is already logged into the                 system?"
  Status Code 4: "You have been excluded."
  Status Code 5: "The User Name and Password combination you have                 entered is invalid. Please try again."
  All the files and pictures that need to appear on the Customized             web page should be bundled into a .tar file before uploading to the WLC. Ensure             that one of the files included in the tar bundle is login.html. You receive             this error message if you do not include the login.html             file:
  Refer to the             Guidelines             for Customized Web Authentication section of             Wireless             LAN Controller Web Authentication Configuration Example for more             information on how to create a customized web authentication window.
  Note: Files that are large and files that have long names will result                 in an extraction error. It is recommended that pictures are in .jpg                 format.
  Internet Explorer 6.0 SP1 or later is the browser recommended for             the use of web authentication. Other browsers may or may not             work.
  Ensure that the Scripting option is not blocked on             the client browser as the customized web page on the WLC is basically an HTML             script. On IE 6.0, this is disabled by default for security purposes.
  Note: The Pop Up blocker needs to be disabled on the browser if you                 have configured any Pop Up messages for the user.
  Note: If you browse to an https site, redirection does                 not work. Refer to Cisco bug ID                 CSCar04580 (registered customers only)          for more information.
  If you have a host name configured for the             virtual interface of the WLC, make sure that the DNS             resolution is available for the host name of the virtual interface.
  Note: Navigate to the Controller > Interfaces menu                 from the WLC GUI in order to assign a DNS hostname to the                 virtual interface.
  Sometimes the firewall installed on the client computer blocks the             web authentication login page. Disable the firewall before you try to access             the login page. The firewall can be enabled again once the web authentication             is completed.
  Topology/solution firewall can be placed between the client and             web-auth server, which depends on the network. As for each network             design/solution implemented, the end user should make sure these ports are             allowed on the network firewall.
  Protocol Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non secured)                        UDP port 16667 (secured IPSEC tunnel)
  For web authentication to occur, the client should first associate             to the appropriate WLAN on the WLC. Navigate to the Monitor >             Clients menu on the WLC GUI in order to see if the client is             associated to the WLC. Check if the client has a valid IP             address.
  Disable the Proxy Settings on the client browser until web             authentication is completed.
  The default web authentication method is PAP. Ensure that PAP             authentication is allowed on the RADIUS server for this to work. In order to             check the status of client authentication, check the debugs and log messages             from the RADIUS server. You can use the debug aaa             all command on the WLC to view the debugs from the RADIUS             server.
  Update the hardware driver on the computer to the latest code from             manufacturer's website.
  Verify settings in the supplicant (program on             laptop).
  When you use the Windows Zero Config supplicant built into             Windows:
  Verify user has latest patches installed.
  Run debugs on supplicant.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a             command window, Start > Run > CMD:
  netsh ras set tracing eapol enable
        netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace             enable with disable. For XP, all logs will be located in             C:\Windows\tracing.
  If you still have no login web page, collect and analyze this             output from a single client:
  debug client
  debug dhcp message enable
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps,             collect these debugs and use the             TAC Service Request Tool (registered customers only)          in order to open a Service             Request.
  debug pm ssh-appgw enable
  debug pm ssh-tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh-engine enable packet

• WLC, FlexConnect, ISE: Dynamic VLAN not working

  Hi,
  Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
  Equipment:
  WiSM2 7.2.111.3
  ISE 1.1.1.268
  AP 3502 in FlexConnect
  What I want to achive:
  One SSID, multiple VLAN
  Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
  Problem:
  When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
  WLC config (I know you like images so here you go ):
  I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
  In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
  When the client connects I get three events in ISE:
  1.
  Authentication failed :
  22056 Subject not found in the applicable identity store(s)
  2. Authentication Success. With the results:
  UserName=00:18:DE:A2:BC:3A
  User-Name=00-18-DE-A2-BC-3A
  State=ReauthSession:c20e8b2f0000027e50ed27f8
  Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
  Termination-Action=RADIUS-Request
  Tunnel-Type=(tag=1) VLAN
  Tunnel-Medium-Type=(tag=1) 802
  Tunnel-Private-Group-ID=(tag=1) 158
  cisco-av-pair=profile-name=AX-Intel-Device
  3.
  Dynamic Authorization failed :
  11213 No response received from Network Access Device
  Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
  Regards,
  Philip

  I think you're hitting CSCua58554
  The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
  We had to use a 7.3 ES to resolve it.....
  Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

• Mobility Anchor and AAA Overide VLAN Assignment

  Hello,
  I read some document 2 years ago that dynamic VLAN assignment was not possible with Anchored WLANs. Please I would like to know if this is now possible. The network setup would be as follows:
  1. Foreign and Anchor WLC (5508) with single SSID for both guest and internal users
  2. Cisco ISE 1.2 performing AAA override with VLAN tag based on AD group. Guest will go to VLAN for guest after web authentication.
  Please a speedy response would be helpful.

  Hi grabonlee,
  We have been running an anchor with VLAN override for out Guest services. Works well. VLAN needs to be defined on both the anchor and foreign. We are running 7.6.120 code.

• Layer 2 security with WLAN auto-anchor mobility

  Hello,
  I was wondering if Layer 2 security can be used with auto-anchored WLANs.
  I need to deploy two new isolated WLANs which will terminate in two DMZ environments.
  I was hoping to use the existing WCS-managed infrastructure with 4404 and 4402 WLCs and just throw on a couple more WLANs.
  However, I've built a little test environment and while I can get the new VLAN traffic tunneled and origininating from the correct anchor controller with no layer 2 security - as soon as I turn on WEP or WPA security options it stops working. I can't find anything in documents or this forum to show auto-anchor mobility with anyhing other than unsecured guest WLANs.
  Am I trying to do somethng unsupported or is it just an error on my part?

  Hi Greg,
  no, the users are internal so I only want to use L2 security. I can't see that L3 should be a problem to add on though. I'm using 3.2.x of the WLC code - so there is no "Guest LAN" mode - I was playing with the new versions and it looks like L2 security is disabled in that mode?
  If you want to see how I got my bit working I would be happy to share my doco when I'm done.
  regards,
  Aaron

• AP group vs WLAN override interface priority

  Hi,
  SW version 4.2.207.0
  Which interface(VLAN ID) of SSID has priority while AP is configured with WLAN override?
  One configured in AP group or one configured in WLAN SSID.
  Example:
  LAP1 is in AP group with SSID1 to interface VLAN2 mapping
  WLAN SSID1 has mapping to interface VLAN3
  LAP1 has WLAN override enable for SSID1.
  Clients connected to LAP1 will be in VLAN2 or VLAN3?
  Thanks for clarifying.

  clients will be connecting to VLAN3. WLAN overrides what WLAN needs to be enabled/broadcasted on specific AP while AP group overrides WLAN to VLAN mappings.
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1127323
  Configuring WLAN Override
  By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN override option to select which WLANs are transmitted and which are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted, or you can use it to disable a specific WLAN in a certain area of the network.
  Configuring Access Point Groups
  In a typical deployment, all users on a WLAN are mapped to a single interface on the controller. Therefore, all users associated with that WLAN are on the same subnet or VLAN. However, you can override this default WLAN setting to distribute the load among several interfaces or to group users based on specific criteria such as individual departments (for example, marketing) by creating access point groups (formerly known as site-specific VLANs). Additionally, these access point groups can be configured in separate VLANs to simplify network administration
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  AP Group VLANs with Wireless LAN Controllers Configuration Example

• Not able to form EoIP tunnel with anchor WLC

  Hi all,
  I have a WLC at a remote site that is supposed to form an EoIP tunnel with 2 anchor WLCs located at a data center. From the site WLC and the anchor WLCs, the mobility show UP on both ends. Also I can ping to the mobility peers from each end. However, when I look into the client details on the remote site WLC, there is no Mobility Anchor IP address, which tells me that the EoIP tunnel between the site and anchor controller is not forming for some reason. Any idea what I could be missing?
  (WOHW-WC01) >show client detail 0c:3e:9f:ab:db:ed
  Client MAC Address............................... 0c:3e:9f:ab:db:ed
  Client Username ................................. N/A
  AP MAC Address................................... 0c:68:03:b9:44:70
  AP Name.......................................... WOHW-LAP016
  Client State..................................... Associated
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 66
  Hotspot (802.11u)................................ Not Supported
  BSSID............................................ 0c:68:03:b9:44:72
  Connected For ................................... 1469 secs
  Channel.......................................... 6
  IP Address....................................... Unknown
  Gateway Address.................................. Unknown
  Netmask.......................................... Unknown
  IPv6 Address..................................... fe80::1c1a:e07c:dd48:bc7e
  Association Id................................... 3
  Authentication Algorithm......................... Open System
  Reason Code...................................... 1
  Status Code...................................... 0
  Session Timeout.................................. 0
  Client CCX version............................... No CCX support
  QoS Level........................................ Bronze
  802.1P Priority Tag.............................. disabled
  CTS Security Group Tag........................... Not Applicable
  KTS CAC Capability............................... No
  WMM Support...................................... Enabled
    APSD ACs.......................................  BK  BE  VI  VO
  Power Save....................................... ON
  Current Rate..................................... m7
  Supported Rates.................................. 9.0,12.0,18.0,24.0,36.0,48.0,
      ............................................. 54.0
  Mobility State................................... None
  Mobility Move Count.............................. 0
  Security Policy Completed........................ No
  Policy Manager State............................. STATICIP_NOL3SEC
  >>> No Mobility peer IP address <<<<
  (WOHW-WC01) >show mobility anchor wlan 66
  Mobility Anchor Export List
   WLAN ID     IP Address            Status
   66          137.183.242.149       Up                              
   66          137.183.242.150       Up                              
  (WOHW-WC01) >show mobility sum           
  Mobility Architecture ........................... Flat
  Mobility Protocol Port........................... 16666
  Default Mobility Domain.......................... WOHW_ENT1
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0x9cbf
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 3
  Mobility Control Message DSCP Value.............. 0
  Controllers configured in the Mobility Group
   MAC Address        IP Address       Group Name                        Multicast IP     Status
   bc:16:65:f9:18:60  137.183.242.150  CIN_GUEST1                        0.0.0.0          Up
   e0:2f:6d:7c:42:20  143.27.201.52    WOHW_ENT1                         0.0.0.0          Up
   f8:72:ea:ee:a0:00  137.183.242.149  CIN_GUEST1                        0.0.0.0          Up

  It works now. I changed the NAC state to "Radius-NAC". Now the mobility hand-off is occurring. 
  (WOHW-WC01) >show wlan 66 
  WLAN Identifier.................................. 66
  Profile Name..................................... PGGuest
  Network Name (SSID).............................. PGGuest
  Status........................................... Enabled
  MAC Filtering.................................... Enabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Enabled
  Network Admission Control
    Client Profiling Status ....................... Disabled
     DHCP ......................................... Disabled
     HTTP ......................................... Disabled
    Radius-NAC State............................... Enabled

• WLC Applying cached RADIUS Override values for mobile

  Hello!
  We have a WiSM2 (version 7.4.110.0) with approx 200 APs. We are doing RADIUS authentication via a PacketFence backend. Everything usually works fine, but we are having an intermittent issue...
  The WiSM2 gets its VLAN assignment for a client from the PacketFence server and does AAA override. If a client has not registered their device, go on one VLAN. Once they register, PacketFence disconnects them via RADIUS to the WiSM2, and then they should get their new VLAN assignment. This works fine in the majority of cases, but occasionally, after registering, the client disconnects and reconnects but is still put back on registration VLAN.
  debug client mac shows this in the logs:
  Applying cached RADIUS Override values for mobile 00:25:56:3d:f6:7b (caller pem_api.c:2210)
  And I do not see the WiSM2 asking the PacketFence server for a VLAN assignment in the PacketFence logs.
  Eventually, if the client stays disconnected long enough (5+ minutes), they can reconnect and get the proper VLAN assignment. I had previously opened a TAC about this, and they suggested a WiSM2 software upgrade and setting the Session Timeout on the WLAN to 900 seconds, which I did. This issue then disappeared for several weeks, but it has started happening again today (we saw it happen to about 15 clients throughout the day).
  Anyone have any ideas on why this is happening, and how to stop the caching? Any thoughts would be greatly appreciated.
  Here is the output from a show wlan of one of our WLANs we have seen this on:
  WLAN Identifier.................................. 2
  Profile Name..................................... BlitzNet
  Network Name (SSID).............................. BlitzNet
  Status........................................... Enabled
  MAC Filtering.................................... Enabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Enabled
  Network Admission Control
    Client Profiling Status ....................... Disabled
     DHCP ......................................... Disabled
     HTTP ......................................... Disabled
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Maximum number of Clients per AP Radio........... 200
  Number of Active Clients......................... 538
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 900 seconds
  User Idle Timeout................................ 300 seconds
  User Idle Threshold.............................. 0 Bytes
  NAS-identifier................................... WISM2_SDC
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ blitznet
  Multicast Interface.............................. Not Configured
  WLAN IPv4 ACL.................................... unconfigured
  WLAN IPv6 ACL.................................... unconfigured
  mDNS Status...................................... Disabled
  mDNS Profile Name................................ unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  PMIPv6 Mobility Type............................. none
  Quality of Service............................... Silver
  Per-SSID Rate Limits............................. Upstream          Downstream
  Average Data Rate................................   0                      0
  Average Realtime Data Rate.......................   0                      0
  Burst Data Rate..................................   0                      0
  Burst Realtime Data Rate.........................   0                      0
  Per-Client Rate Limits........................... Upstream          Downstream
  Average Data Rate................................   0                      0
  Average Realtime Data Rate.......................   0                      0
  Burst Data Rate..................................   0                      0
  Burst Realtime Data Rate.........................   0                      0
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Drop
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ ipofradiusserver 1812
     Accounting.................................... Global Servers
        Interim Update............................. Disabled
     Dynamic Interface............................. Disabled
     Dynamic Interface Priority.................... wlan
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     FT Support.................................... Disabled
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     WAPI.......................................... Disabled
     Wi-Fi Direct policy configured................ Disabled
     EAP-Passthrough............................... Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Disabled
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     FlexConnect Local Switching................... Disabled
     flexconnect Central Dhcp Flag................. Disabled
     flexconnect nat-pat Flag...................... Disabled
     flexconnect Dns Override Flag................. Disabled
     FlexConnect Vlan based Central Switching ..... Disabled
     FlexConnect Local Authentication.............. Disabled
     FlexConnect Learn IP Address.................. Disabled
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     PMF........................................... Disabled
     PMF Association Comeback Time................. 1
     PMF SA Query RetryTimeout..................... 200
     Tkip MIC Countermeasure Hold-down Timer....... 60
  AVC Visibilty.................................... Disabled
  AVC Profile Name................................. None
  Flow Monitor Name................................ None
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  KTS based CAC Policy............................. Disabled
  Assisted Roaming Prediction Optimization......... Disabled
  802.11k Neighbor List............................ Disabled
  802.11k Neighbor List Dual Band.................. Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Multicast Buffer................................. Disabled
  Mobility Anchor List
  WLAN ID     IP Address            Status
  802.11u........................................ Disabled
  MSAP Services.................................. Disabled

  There is nothing in the RADIUS server logs. It is as if the WiSM2 does not talk to it for the 2nd request. The flow for a problem client is like this:
  1. New client associates
  2. WiSM asks RADIUS server for VLAN
  3. RADIUS Server hasn't seen it, so it puts it on VLAN 84 (our registration VLAN)
  4. Client goes through captive portal
  5. RADIUS server sends disconnect client message to WiSM
  6. Client disconnects, reconnects
  7. WiSM2 puts it back on VLAN 84, when it should put it on a VLAN determined by the SSID. The WiSM2 never asks the RADIUS server for the VLAN again, until the client has stayed disconnected for 5+ minutes, and I see the message in the wism2 log that I wrote above.
  In the vast majority of cases, step 7 works properly. That is, when the client reconnects, it asks the RADIUS server what VLAN to put it on (I see it in the RADIUS server logs). I see the second request come in, and the RADIUS server replies with appropriate VLAN for the SSID.
  After they get their proper VLAN, this doesn't occur again. It is as if the RADIUS server caches the client's VLAN override attribute somewhere and uses that, rather than asking the RADIUS server.