Assign Vlan to SSID

Similar Messages

• RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs

  Could someone please tell me is this 100% correct?
  "RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs"
  Any ideas why? Does anyone have a way around this?
  As a workaround I was thinking of setting up one broadcast SSID for guests and one non-broadcast SSID for RADIUS assigned VLANs, however i'd prefer to have both broadcast due to numerous Vista and PDA connection issues.

  Hi.
  Thanks for your reply.
  That is what I would like to do; have one SSID and assign the users to different VLANs based on policy.
  I have all the VLANs and subinterfaces set up correctly and working independently, but the VLAN assigment does not seem to work correctly.
  If I do a "show dot11 association all-client" the RADIUS attribute appears to have altered the VLAN, but the device has no connectivity and cannot DHCP.
  This is with 1130AG in autonomous mode and Microsoft IAS as RADIUS.
  Apparently there may be a problem with mbssid and RADIUS assigned VLANs.

• Assigning VLAN through WPA

  Our access point is ap1240 and using radius server to authenticate users. I'm trying to assign vlan based on the user authentication by using radius attributes 64, 65 and 81 described in
  http://cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a0080607188.html#wp1038739
  but this seems to be not working. I am using WPA with TKIP and key rotation. If I don't set these aaa attributes users are authenticated and placed in the default vlan assigned to the SSID. If I set the attributes but keep the VLAN ID the same as the one one assigned to SSID then the user is connected no problem.
  In the guide (above link) there is a note about this feature not working when cipher suite is different and if you are using WPA or CCKM. Is this what is happening with my case here?
  fred

  Take a look at the following doc...
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• Multiple Vlans Per SSID

  Hi
  We are just putting in a new Controller - 5500 type
  We are using a WCS .
  Someone has raised the issue of whether we can have multiple vlans
  per SSID - as otherwise we may have very large broadcast domains
  due to the overall design being to have  Maybe 3 SSIDs
  Guest
  Staff
  Engineering
  I think in SWAN we could get away with dynamic vlans.
  We would like to have multiple vlans in each SSID to avoid the above.
  Can we do this in the new setup.
  Kind Regards
  Steve

  Hi Steve,
  yes it works just the same.
  Enable AAA override on the controller and have interfaces configured for each vlan. Then the ACS can simply push the vlan depending on the user authentication. Users are then split in separate vlans.
  Another way of doing is to group APs. You can have a group of APs serving SSID Guest in vlan 1, Employee in vlan 2 and another group of APs serving the same SSIDs but in vlan 3 and 4. It's "per-user" vlan load balancing or "geographic" vlan load balancing.
  However, broadcast domains should not be a major concern in wireless as broadcasts are blocked by default. The WLC will proxy for ARP and DHCP.
  Regards,
  Nicolas

• Assign VLAN by MAC for one device

  Is it possible to assign a single device to a vlan by its mac address? 
  On a Dell 6248 I could use
  vlan association mac 1111.2222.3333 12

  Hi,
  I don't think there is a command to assign a device to a VLAN by using it's MAC address. But it can be done by setting up a VMPS (Vlan Membership policy server). Which dynamically assigns VLANs to the devices using their MAC or IP address.
  Rate if you find this helpful.
  Regards,
  Chandu

• Vlan and SSID not showing in AP Web Interface

  We have a couple of APs that do not show the Vlans and SSIDs through the AP web interface.  If you go to the SSID manager page in web interface, the page comes up but does not show any of the SSIDs configured.  The same goes for Services - Vlan.  That page comes up but does not show any Vlans configured.  If you telnet to the APs, you see the listed mssid and all the SSID interfaces.  The SSIDs on the APs are functional and working.  This just makes it difficult to use the web interface for these APs.  I have tried to compare running configs on APs where web interface is not showing this and on APs that it is showing but cannot see any differences.
  Thanks.

  Unsupported things are never documented. You can't possibly list all browsers that you don't support.
  But if it's not mentionned clearly as supported then it means "it might work but we never tested with it".
  Let us know how it goes with the 12.4.21
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Assign VLAN from freeradius to Cisco 3550 Switch

  Hi All,
  I am trying to assign VLAN from freeradius to the a cisco 3550 switch but it's not working.
  I keep getting those lines in the cisco switch debug:
  3w6d: RADIUS:  Tunnel-Medium-Type  [65]  6   01:Unsupported            [6]
  3w6d: RADIUS:  Tunnel-Type         [64]  6   01:Unsupported            [13]
  What does it mean? Any idea how to solve this?
  Below freeradius conf and switch debug.
  Thanks.
  Configuration on freeradius users file:
  wassim    Cleartext-Password := "wassim"
          Tunnel-Medium-Type:1 = IEEE-802,
          Tunnel-Type:1 = VLAN,
          Tunnel-Private-Group-Id:1 = 100
  Cisco Switch debug log:
  3w6d: RADIUS:  authenticator 99 15 53 A6 AB B7 0B 75 - 9F A7 5F 27 8F F1 2E 67
  3w6d: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.8              
  3w6d: RADIUS:  NAS-Port            [5]   6   50023                    
  3w6d: RADIUS:  NAS-Port-Type       [61]  6   Eth                       [15]
  3w6d: RADIUS:  User-Name           [1]   8   "wassim"
  3w6d: RADIUS:  Called-Station-Id   [30]  19  "00-15-F9-F8-4E-97"
  3w6d: RADIUS:  Calling-Station-Id  [31]  19  "00-1A-80-3F-F6-A1"
  3w6d: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  3w6d: RADIUS:  Framed-MTU          [12]  6   1500                     
  3w6d: RADIUS:  State               [24]  18 
  3w6d: RADIUS:   DB C1 1C E7 DE C7 09 5E 75 5E 5B 0F 23 3A 54 E7  [???????^u^[?#:T?]
  3w6d: RADIUS:  EAP-Message         [79]  69 
  3w6d: RADIUS:   02 06 00 43 15 00 17 03 01 00 38 BF 71 FC FA 04  [???C??????8?q???]
  3w6d: RADIUS:   BE DC FD CC 03 D2 7F 8B 09 63 2C B2 AE D8 AC 61  [?????????c,????a]
  3w6d: RADIUS:   64 21 2B 00 ED 0E 6E E8 B0 49 50 6B 99 B8 88 A4  [d!+???n??IPk????]
  3w6d: RADIUS:   36 C6 FD B9 F0 77 2D 82 28 0A 37 D1 D4 73 B4 59  [6????w-?(?7??s?Y]
  3w6d: RADIUS:   F9 37 E6                                         [?7?]
  3w6d: RADIUS:  Message-Authenticato[80]  18 
  3w6d: RADIUS:   A2 59 A3 DE A6 98 5F 78 25 12 59 BB 4D B8 74 F0  [?Y????_x??Y?M?t?]
  3w6d: RADIUS: Received from id 1645/123 192.168.1.57:1812, Access-Accept, len 186
  3w6d: RADIUS:  authenticator C0 31 7F D7 A6 D4 1F C8 - 27 AA F0 99 EA 1F 92 C3
  3w6d: RADIUS:  Tunnel-Medium-Type  [65]  6   01:Unsupported            [6]
  3w6d: RADIUS:  Tunnel-Type         [64]  6   01:Unsupported            [13]
  3w6d: RADIUS:  Tunnel-Private-Group[81]  6   01:"100"
  3w6d: RADIUS:  Vendor, Microsoft   [26]  58 
  3w6d: RADIUS:   MS-MPPE-Recv-Key   [17]  52 
  3w6d: RADIUS:   86 8B 3E 74 76 E7 CB 9A 8F EF F5 9C 16 2E 88 1A  [??>tv????????.??]
  3w6d: RADIUS:   12 3B 80 A6 E9 9B B6 6F E6 63 C8 AA B0 DB 0E 76  [?;?????o?c?????v]
  3w6d: RADIUS:   61 C1 6A 5D 62 BD 72 BE 78 C8 9D 4D A7 3F 54 35  [a?j]b?r?x??M??T5]
  3w6d: RADIUS:   40 DC                                            [@?]
  3w6d: RADIUS:  Vendor, Microsoft   [26]  58 
  3w6d: RADIUS:   MS-MPPE-Send-Key   [16]  52 
  3w6d: RADIUS:   8A 61 97 87 78 FD CA 16 8D F0 ED 75 C0 70 93 AE  [?a??x??????u?p??]
  3w6d: RADIUS:   71 EF 5A 21 53 35 A4 88 F9 84 16 83 10 43 6E 9E  [q?Z!S5???????Cn?]
  3w6d: RADIUS:   AB A7 8B 56 6C 42 0D AB 09 1D 82 D3 CB 7E 6C B8  [???VlB???????~l?]
  3w6d: RADIUS:   56 58                                            [VX]
  3w6d: RADIUS:  EAP-Message         [79]  6  
  3w6d: RADIUS:   03 06 00 04                                      [????]
  3w6d: RADIUS:  Message-Authenticato[80]  18 
  3w6d: RADIUS:   82 4B 64 0F 07 64 59 18 0F 27 07 95 A5 15 09 33  [?Kd??dY??'?????3]
  3w6d: RADIUS:  User-Name           [1]   8   "wassim"
  3w6d: RADIUS: EAP-login: length of eap packet = 4
  3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
  3w6d: RADIUS: TAS(1) created and enqueued.
  3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
  3w6d: RADIUS: Tunnel-GID, [01] 100
  3w6d: RADIUS: unrecognized Microsoft VSA type 17
  3w6d: RADIUS: unrecognized Microsoft VSA type 16
  3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
  3w6d: RADIUS: free TAS(1)
  3w6d: RADIUS: no appropriate authorization type for user.
  3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
  3w6d: RADIUS: TAS(1) created and enqueued.
  3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
  3w6d: RADIUS: unrecognized Microsoft VSA type 17
  3w6d: RADIUS: unrecognized Microsoft VSA type 16
  3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
  3w6d: RADIUS: free TAS(1)
  3w6d: RADIUS: no appropriate authorization type for user.
  3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
  3w6d: RADIUS: TAS(1) created and enqueued.
  3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
  3w6d: RADIUS: unrecognized Microsoft VSA type 17
  3w6d: RADIUS: unrecognized Microsoft VSA type 16
  3w6d: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=vlan
  3w6d: RADIUS: free TAS(1)
  3w6d: RADIUS: no appropriate authorization type for user.
  3w6d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to up

  I believe you should be using the numerical values in your fields, look at this one :
  http://www.scribd.com/doc/75788651/52/X-with-VLAN-Assignment
  Tunnel-Medium-Type:1 = 6
  Tunnel-Type:1 = 13
  Tunnel-Private-Group-Id:1 =

• Dynamic vlan assignment with single SSID

  Hi All,
  I have 300 APs deployed  and  concurrent client associations that number 3000+ daily
  at the moment I have a single subnet for all users, there is no authentication just a click through
  page with email entry to gain access.
  The APs are assigned to groups based upon the building zone they are in, is it possible to
  assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
  TIA

  You can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
  In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
  Sent from Cisco Technical Support iPhone App

• Multiple VLANs per SSID with local switch

  Is it possible to use an 'AP Group' or 'Interface group' to assign multiple VLANs to a WLAN when remote, h-reap APs are in local switch mode? 
  If not, is there a way to overcome 500 maximum host per VLAN when APs are local switching?
  Thanks!

  dont think its possible...
  I donno if the following config will even work but u can have the hreap APs connected at the remote site to map to different vlans...
  Example:
  AP1 -- ssid 1 --- vlan 10
  AP2 -- said 1 --- vlan 11 and so forth..
  Sounds crazy but i ll have to ponder on this a bit more.. Need a pen and paper to draw a quick topology :)...
  Sent from Cisco Technical Support iPhone App

• AP groups with same vlans , same ssid but different subnet.

  Hi Members,
  I have a Cisco Flex 7500 in my datacenter and I need to connect 100 sites , each site with 2-3 APs , each side has its own network and is independent of other sites , the site only need to comunity locally and do not need to access any centralized applications.
  I am trying to achieve this by Creating 100  different AP groups and assiging 2-3 AP in each groups for each branch, I will achieve WAN failover resiliency by creating flexconnect groug , the issue I am facing are as below .
  1.Since all the sites has same setup , the AP and clients on all sites are in vlan 2 , so when I try to create 2 or more AP group with same vlan, it restricts me of doing so , I cannot create diffrent AP groups mapped to same Vlan .
  2.If I keep the APs and Clients in the same subnet , I dont think it should be a problem , but I need your second opinion.
  to give you an even better picture , look at the topology enclosed , and my question is if both STAFF and STUDENT APs are in same vlan but in 2 different broadcast domain , how would I create the AP groups.
  Thank you

  Thanks for the reply Jenn , here is my situation.
  I have 2 sites lets day , site A in virginia ,  site B in Maryland.
  SiteA - 10.1.1.0/24 - vlan 2
             10.1.2.0/24 - vlan 3
             10.1.3.0/30 - WAN to central site where controller sits.
  SiteB - 10.2.1.0/24 - vlan 2
             10.2.2.0/24 - vlan 3
             10.2.3.0/30 - WAN to central site where controller sits.
  both the sites will have a single ssid "XYZ" and will switch locally only.
  howin my understanding the way I will deploy this is as below
  1.I will create WLAN with ssid "XYZ".
  2.I will create 2 AP groups lets say "Site-A" and "Site-B"
  3.I will map the APs in site A to AP group "Site-A" and APs in Site B to "Site-B"
  4.I will create 2 dynamic interfaces one for each AP group , now this is where I am facing problem , when I am creating dynamin interfaces , I need to specify the subnet and vlans when creating dynamic interfaces , since the vlans used is same on both sites , its not letting me create 2 interfaces with same vlan id.
  in my understanding HREAP is only majorly used for WAN failover and local authentication so I am not concerned about that right not , my prime work is to udnerstand the AP group and working.
  if you still need print shot let me know I will have to go at site.
  also validate if my thinking is right on the 4 steps I have mentioned above , I am new to wireless and whatever I have learned I have learned in last 10 days .
  Appreciate your help.
  Thank you

• Light weight access point, vlans, multiple ssids

  Hi everybody
  Let say we have an light weight access point ap1.  Ap1 is broadcasting two ssids:
  cisco1  which is mapped to vlan 1
  cisco 2  which is mapped to vlan 2
  If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?
  thanks and have a great weekend.

  sarahr202 wrote:Hi everybodyLet say we have an light weight access point ap1.  Ap1 is broadcasting two ssids:cisco1  which is mapped to vlan 1cisco 2  which is mapped to vlan 2If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?thanks and have a great weekend.
  Lightweight WAP right?  As in controller-based WAP?
  If this is the case, then the answer is both a yes and a no.
  Let me explain:
  Throw away the notion that you can set the channel down.  I mean, if you have a controller-based WAP, the last thing you want to do is "micro-manage" which channels your WAPs operate on.   I mean, you can but as a rule-of-thumb, you don't and let the controller sort things out.
  So, going back to your question:  You whave multiple WAPs and two SSID:  1 and 2.  Let's presume that you've configured that all your WAPs will be broadcasting SSID 1 and SSID 2.
  The decision about what channels each WAP will be operating on falls squarely on the Wireless LAN Controller (WLC).  The WLC makes this decision based on a blah-blah-blah algorythm.  If, for example, WAP A and, say, WAP R can "hear" each other on the same channel, the WLC will make the decision and say, "Hey WAP R, since you and WAP A are operating in the same channel and both of you can hear each other, why don't you, WAP R, operate in channel 11.".
  However, if WAP A and WAP R can't see each other then both of them can operate in the same channel.
  NOW, here's comes the tricky question ... Here's the scenario:  You have SSID 1 and SSID 2.  You want all your WAPs to broadcast both SSID.  HOWEVER, you want SSID 1 to operate at, say, 1 Mbps rate only while SSID 2 can operate at all other data rates.
  Yes, this can be done using RF Profile and AP Groups.
  Is this what you are asking?

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Auto assign vlan for Wireless AP 1142

  Hi,
  Instead of statically assigning a vlan to a switch port where the AP is connected, is there a way to use 802.1x or NAC to assign the right vlan to an AP itself (not the clients)?

  You should be able to do this if you setup switchport authentication on the switch the AP is connecting to and have the IETF attribuiles 64, 65, and 82 passed down from the Radius server.

• Autonymouse AP1121 - Management Vlan and SSID Vlan

  Hello,
  We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
  current switch port config ap is plugged into.
  interface FastEthernet1/0/48
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 500
  switchport mode trunk

  Do you have sub interfaces for vlan 10 being brigged through the radio interface?
  Example config below...
  interface Dot11Radio0.10
  description Secure Wireless access
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  no bridge-group 10 source-learning
  bridge-group 10 spanning-disabled
  Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk"

• Flex Connect Across Multiple VLANS same SSID

  I just need to find that if we have flex connect setup for differnet vlans using single controller, will roaming works when client connects to AP in a differnet VLAN but using same SSID.
  Example below:
  1) Client connects to AP on specific SSID mapped to VLAN 100, get an IP address ..all good at this point
  2) Client walks and connects to a differnet AP on same SSID but mapped to VLAN 200...at this point I observe client doesnt get a new IP address in fact it retain IP from step-1 and there is no connectivity
  3) Client walks back to first AP and connectivity is restored
  Why in step-2 client doesnt gets a new IP from VLAN 200 even when it shows connected to AP.

  Just to add to Rasika.... L3 isn't supported....I just ran into this a few days ago.... clients should request another dhcp when roaming to another FlexConnect AP that is mapped to a different VLAN.  The issue is, that some clients don't try to renew their dhcp address and gets stuck with the default 169.x.x.x.  I see this with Apple devices in general and what we are going to do is get rid of the multiple vlan setup (vlan per floor) and create a bigger vlan that the SSID will be mapped to.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"