Cisco ACS4.1- Radius Dynamic VLAN assignment not working

Similar Messages

• IAS dot1x dynamic VLAN assignment not working

  I have a windows 2003 server with AD and IAS configured. IAS uses AD for authentication. I have AAA login configured and working. I have AAA dot1x configured on the 3550 switch. IAS has a Wired Ethernet policy configured for PEAM and is send back attributes tunnel-type = VLAN, tunnel-medium-type = 802, and tunnel-pvt-group-id = 210. My XP supplicant has dot1x enabled and is authenticating through the switch and IAS.
  Using Ethereal I can see the both the Radius request and accept packets. I can see that radius is sending the above attributes through ethereal as well. Using the Debug Radius command I can see that the attributes are getting to the switch. When I use the show VLAN command the switch port is still in VLAN 1. I want it to be in VLAN 210.
  I have upgraded the IOS in the 3550 switch. This fixed a previous problem of the switch not sending the NAS port type of Ethernet. It as sending a port type of Asynch.
  I also have service pack 2 on the Windows 2003 server.
  Has anyone else had this problem? If so how do I fix it.
  Here is my debug code:
  06:56:45: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
  06:56:45: RADIUS: Tunnel-Private-Group[81] 5 "210"
  06:56:45: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
  Here is my switch code:
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius local
  aaa session-id common
  interface FastEthernet0/1
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  radius-server host 10.1.1.254 auth-port 1645 acct-port 1646 key test
  radius-server deadtime 60

  You're missing this:
  aaa authorization network default group radius
  I assume "everything works" other than VLAN-Assignment itself.
  This should get you squared away,

• Dynamic vlan assignment with 1242AG and IAS not working

                     I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine.  I've tried everything I can think of.  Any suggestions?
  IAS and AD is running on Windows Server 2003
  Everything works fine except the vlan assignment.  Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
  PEAP is the authentication method, using MS-CHAP v2.  Naturally I have the attributes in the policy set appropriately, ie:
  Tunnel-Medium-Type > 802
  Tunnel-Pvt-Group-ID > vlanid
  Tunnel-Type > VLAN
  On the AP:
  Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
  I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
  Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

  Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
  I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
  I see I don't have that line "aaa authorization network default group rad_eap",
  So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
  Thanks,
  Jason

• Dynamic VLAN assignment on SG300

  Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
  The RADIUS user attributes used for the VLAN ID assignment are:
  IETF 64 (Tunnel Type)—Set this to VLAN.
  IETF 65 (Tunnel Medium Type)—Set this to 802
  IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
  I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
  Radius:IETF:Tunnel-Medium-Type     6
  Radius:IETF:Tunnel-Private-Group-Id     4
  Radius:IETF:Tunnel-Type     13
  is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
  07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
  Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
  Thanks,
  Aaron

  Hi Aleksandra,
  Here are the values from a packet capture of the Access-Accept message:

• HREAP and Dynamic VLAN assignment (MS NPS)

  Hi All
  Just a quick rundown of what I am trying to achieve.
  We have a Cisco 5508 WLC (running AIR-CT5500-K9-7-0-116-0.aes). At the moment the WLC is controlling only 1 AP (Cisco 1142N LWAP). I want this AP to be placed at a remote site, and users that authenticate via the RADIUS (MS Windows 2008 NPS) server must be assigned their respective VLANs based on the Active Directory groups they belong to (staff, student, or guest).
  The AP and dynamic VLAN assignment works 100% if the AP is in local mode. Authentication works, and dynamic VLAN assignment works. As soon as you change the AP to HREAP mode, dynamic VLAN assignment stops working, and the client gets assigned an IP of whatever VLAN is assigned to the SSID under the HREAP tab. Allow AAA Override is enabled on the main SSID that I am broadcasting.
  I have read in some of the discussions that HREAP does not support dynamic VLAN assignment, but I haven't seen why this is not supported. Is this true with the latest version of WLC software as well? I cannot see why local traffic destined for a local resource must be sent via a WAN link to the controller, and then back over the WAN link again. This seems very inefficient.
  Is there anybody that can confirm if this is in fact an HREAP limitation, and why (if so) it is a limitation, please? Any info would be much appreciated.
  Regards
  Connie

  Do you perhaps know if there are plans for this limitation being addressed in the near future?
  We are looking to deploy wireless from end-to-end in all 6 of our sites, and you biggest competitor was penalized because they do not support this feature. It seems we're going to have to apply the same penalty in this respect to Cisco as well.
  Thanks for the feedback, though!
  Regards
  Connie

• WLC- dynamic Vlan assignment with Radius

  Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
  I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
  It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
  Could you please help me?

  There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• 802.1x authetication with dynamic Vlan assignment by a radius server

  Hi
  At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
  When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
  I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
  What does work:
  - If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
  - When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 
  So far so good.
  But what doesn't work:
  - it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
  - I can not find the Guest VLAN.
  Any help would be appriciated.

  Hi Wouter,
  Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
  http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
  I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Aleksandra 

• 802.1x dynamic VLAN assignment with Radius NPS Server

  I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
  I have followed this documentation,
  http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
  that basically says to use these Radius attributes,
  Tunnel-Medium-Type : 802
  Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
  Tunnel-Type  : VLAN
  There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
  and I have also tried that,
  cisco-avpair= "tunnel-type(#64)=VLAN(13)"
  cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
  My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
  Anybody know how to get dynamic VLAN assignment working with NPS?
  NPS on Win 2012 R2
  Domain controller separate Win 2012 R2 server
  Cisco 3550 switch

  Hi All, Can any one guide me to
  configure 802.1x with acs 5.0. Its totally new look and m not able to
  find document related to 802.1x.Thanks
  Hi,
  Check out the below link on how to configure 802.1x and ACS administration hope to help !!
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
  Ganesh.H

• Cisco av-pairs SSID vs Dynamic Vlan Assignment

  Hello,
  Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
  If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
  Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
  So the question is if a working alternative to SSID av-pairs exists.
  Thanks.     

  To be honest, I have never heard of this SSID av-pair ever working in wireless:)
  You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  
  You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  
  -Scott

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• Dynamic vlan assignment does not work

  Hello,
  I have been trying to configure dynamic vlan assignment for the employee wlan. Trying to put the employee on vlan 20
  Here are the components used
  WLC: 2100 Software version: 7.0.240.0
  AP: 3502I    IOS version: 12.4  Mini IOS version: 7.0
  Radius server: tried mutiple radius servers (rsa radius , free radius)
  On the WLC:
  1. Created a AAA server.
  2. Along with management interface(vlan 10), configured dynamic interfaces (vlan 20, vlan 30)
  3. AP manager interface is on vlan 40
  4. Created WLAN assigned to management interface-- WPA2 (AES) , 802.1x
  5. on AAA servers tab - checked authentication servers and assigned the AAA server. authentication priority order is set to only radius
  Here, I have 2 options for radius overwrite.
  one on the AAA servers tab
  second on the Advanced tab
  I have selected both. or one at a time
  Ports between WLC and switch is a trunk
  On the AP:
  1. Local mode
  2. Port between AP and switch switchport access  - vlan 40
  On radius server:
  configured WLC's management interface as client
  and assigned the following attributes
  tunnel-type := vlan
  tunnel-medium-type = ieee-802
  tunnel-private-group-id = 20
  When i try to authenticate with an iphone it is successful. But it puts me on the same interface as management interface (vlan10). When i do the packet capture i do see the access-accept but i dont see the attributes.
  when i use a radius test utility against the radius server I do receive all the attributes.
  Im a newbie on this. Iam i missing something here? any help will be much appreciated.

  Kindly check the following link for reference.
  sample configuration link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
  Trouble shooting link
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

• Cisco WLC5508 Dynamic VLAN assignment error

  Hi All,
  We have a HA (SSO) WLC controller pair in two DC's with the Management Interface managing the AP's. The AP's are located in the Campus LAN and the Campus and DC networks are seperated by a L3 boundary.
  The plan is for one of the WLAN's to provide Dynamic VLAN Assignment via radius as a test I wanted to use the existing Management interface to bind to the WLAN, but since working through the following Document ID: 71683 one thing I noticed whilst working through the the document states that "it is required that the VLAN-ID configured under the IETF 81 (Tunnel-Private-Group-ID) field of the RADIUS server exist on the WLC"
  If the above statement is true and we don't stretch VLAN's between the Campus LAN and the DC network due to the L3 boundary does this mean that Dynamic VLAN assignment won't be achievable?  When testing a client connection and debugging the result I receive the following:-
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a [BE-resp] AAA response 'Success'
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a [BE-resp] Returning AAA response
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA Message 'Success' received for mobile 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[0]: attribute 11, vendorId 0, valueLen 11
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[1]: attribute 64, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[2]: attribute 65, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[3]: attribute 81, vendorId 0, valueLen 2
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[4]: attribute 8, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[5]: attribute 79, vendorId 0, valueLen 40
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a Received EAP Attribute (code=2, length=40,id=64) for mobile 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000000: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000010: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000020: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[6]: attribute 1, vendorId 9, valueLen 16
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[7]: attribute 25, vendorId 0, valueLen 25
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[8]: attribute 80, vendorId 0, valueLen 16
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA override: Dot1x Authentication PMIP Client AAA Override Enable
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA override: Dot1x Authentication, default MPC configuration
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a Tunnel-Type 16777229 should be 13 for STA 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.116: [PA] 10:40:f3:84:a2:2a Tunnel-Group-Id 9 is not a valid VLAN ID for STA 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.116: [PA] 10:40:f3:84:a2:2a Received Session Key from AAA Server for STA 10:40:f3:84:a2:2a.
  I've sanitised some of the debug output to protect the username but the net result is no IP address assigned to the client and unable to connect to the network.
  Would appreciate any guidance as to whether the Wireless Client VLAN's need to be interfaces on the WLC in order to work or whether the likes of Flexconnect could alleviate the L3 boundary?
  Thanks in advance.
  Kind regards,
  Mark

  Hi All,
  After playing with Flexconnect I managed to get the dynamic vlan assignment working.
  Need to create the Flexconnect Group add in the AP's to the gorup and then select the ACL Mapping tab > AAA VLAN-ACL mapping and added in the VLAN of my VLAN that my Tunnel-Group-ID (VLAN ID) had assigned to me.
  Client connected and received the correct IP configuration.
  Thanks
  Mark

• 802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

  Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

  SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

• Dynamic VLAN Assignment + NPS

  Hello,
  I'm planning a deployment with the following:
  5508 WLC running 7.0.222.0
  NCS 1.0.2.29
  50+ 3502i AP's
  Windows 2008 R2 running NPS
  EAP-TLS for authentication
  The end goal is to have a single SSID and utilize NPS to dynamically assign VLAN's depending on role/group.
  I've read several documents that use ACS to complete the dynamic VLAN assignment (inclduing http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml), however in this case ACS is not available.
  My question basically is; do I need ACS to apply the VSA for Cisco Airespace, or can this be done solely with the following IETF attributes using Microsoft NPS and AAA override on the WLC?
  [64] Tunnel-Type
  [65] Tunnel-Medium-Type
  [81] Tunnel-Pvt-Group-ID
  Any advice would be greatly appreicated!
  Thanks

  Thanks Steve for your quick response.
  I did everything as per your recommendation and it still doesnt work.
  Do you mind providing me a remote assistance, do you have Skype?
  Or your prefer that I provide you a set of logs, tell me which one and I will do so.
  SSID:TT
  @IP WLC: 172.20.252.70
  NPS: 172.20.1.16
  config rule NPS: service-Type: NAS Prompt
                           Tunnel-Type: VLAN
                           Tunnel-pvt-group-ID:10
                           Tunnel-Meduim-Type:802
  log WLC:
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processIncomingMessages: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processRadiusResponse: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Access-Accept received from RADIUS server 172.20.1.16 for mobile 8c:70:5a:1c:8e:20 receiveId = 4
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Processing Access-Accept for mobile 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Applying new AAA override for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Inserting new RADIUS override into chain for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Applying override policy from source Override Summation:
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 256, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Setting re-auth timeout to 1800 seconds, got from WLAN config.
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Station 8c:70:5a:1c:8e:20 setting dot1x reauth timeout = 1800
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Creating a PKC PMKID Cache entry for station 8c:70:5a:1c:8e:20 (RSN 2)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Adding BSSID 00:1e:be:a7:bf:b6 to PMKID cache for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: New PMKID: (16)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844:      [0000] 80 36