Dynamic vlan assignment with 1242AG and IAS not working

                   I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine.  I've tried everything I can think of.  Any suggestions?
IAS and AD is running on Windows Server 2003
Everything works fine except the vlan assignment.  Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
PEAP is the authentication method, using MS-CHAP v2.  Naturally I have the attributes in the policy set appropriately, ie:
Tunnel-Medium-Type > 802
Tunnel-Pvt-Group-ID > vlanid
Tunnel-Type > VLAN
On the AP:
Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
I see I don't have that line "aaa authorization network default group rad_eap",
So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
Thanks,
Jason

Similar Messages

  • Dynamic VLAN assignment with WLC and ACS for

    Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
    dot11 vlan-name STUDENT vlan 2903
    dot11 vlan-name FACSTAF vlan 2905
    As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
    With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
    Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

    We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
    This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

  • Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

    Hi Guys,
    I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
    The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
    I go through some references:
    3.5  RADIUS-Based VLAN Access Control
    As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
    There are two different ways to implement RADIUS-based VLAN access control features:
    1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
    2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
    extract from: Wireless Virtual LAN Deployment Guide
    http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
    ==============================================================
    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
    ==============================================================
    Controller: Wireless Domain Services Configuration
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
    Any help on this issue is appreicated.
    Thanks.

    I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
    I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
    Hope this helps

  • WLC- dynamic Vlan assignment with Radius

    Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
    I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
    It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
    Could you please help me?

    There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

  • 802.1x dynamic VLAN assignment with Radius NPS Server

    I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
    I have followed this documentation,
    http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
    that basically says to use these Radius attributes,
    Tunnel-Medium-Type : 802
    Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
    Tunnel-Type  : VLAN
    There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
    and I have also tried that,
    cisco-avpair= "tunnel-type(#64)=VLAN(13)"
    cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
    cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
    My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
    Anybody know how to get dynamic VLAN assignment working with NPS?
    NPS on Win 2012 R2
    Domain controller separate Win 2012 R2 server
    Cisco 3550 switch

    Hi All, Can any one guide me to
    configure 802.1x with acs 5.0. Its totally new look and m not able to
    find document related to 802.1x.Thanks
    Hi,
    Check out the below link on how to configure 802.1x and ACS administration hope to help !!
    http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
    Ganesh.H

  • Dynamic vlan assignment with openldap

    Hi,
    I have a scenario where my customer has an ACS 5.2 and couple WLCs. the customer has also a openldap database and needs to do dynamic vlan assignement for his wireless user against this database. I know that for Active directory it works, please advise if it does as well for openldap and how?
    Regards,

    No it doesnt work if you are using mschap v2 here is a grid of the supported eap based protocols and the directory services:
    You can find this information here:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1045863
    Hope this helps.

  • Dynamic vlan assignment with single SSID

    Hi All,
    I have 300 APs deployed  and  concurrent client associations that number 3000+ daily
    at the moment I have a single subnet for all users, there is no authentication just a click through
    page with email entry to gain access.
    The APs are assigned to groups based upon the building zone they are in, is it possible to
    assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
    TIA

    You can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
    In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
    Sent from Cisco Technical Support iPhone App

  • 802.1x dynamic vlan assignment with acs5.0

    Hi All, Can any one guide me to configure 802.1x with acs 5.0. Its totally new look and m not able to find document related to 802.1x.
    Thanks

    Hi All, Can any one guide me to
    configure 802.1x with acs 5.0. Its totally new look and m not able to
    find document related to 802.1x.Thanks
    Hi,
    Check out the below link on how to configure 802.1x and ACS administration hope to help !!
    http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
    Ganesh.H

  • Drilldown with ParentAfter and ParentBefore not working

    Hi All,
    I am using Drilldown option in Workbook Option with ParentAfter and ParentBefore. I found that the drilldown sometimes works but sometimes can not expand/collapse. First, i thought it was because of dimension member set in the current view is not base member, but now that i have already set all as base, the drilldown still can not work.
    I have set the memberset as LDEP and taken out the sort range. And now, after logged off and on again, the drilldown can work again without me changing anything....
    Any idea why it behaves this way?
    Thanks in advance for the advice.
    Ce Wie
    Edited by: Go  Ce Wie on May 22, 2009 3:20 PM

    Your issue lies in your clientkeys. instead of:
    clientkeys =
    awful.key({modkey,}, "f", function(c) c.fullscreen = not c.fullscreen end),
    awful.key({modkey, "Shift"}, "c", function(c) c:kill() end),
    awful.key({modkey, "Control"}, "space", awful.client.floating.toggle),
    awful.key({modkey, "Control"}, "Return",
    function(c) c:swap(awful.client.getmaster()) end),
    awful.key({modkey,}, "o", awful.client.movetoscreen),
    awful.key({modkey, "Shift"}, "r", function(c) c:redraw() end),
    awful.key({modkey}, "t", awful.client.togglemarked),
    awful.key({modkey,}, "m",
    function(c)
    c.maximized_horizontal = not c.maximized_horizontal
    c.maximized_vertical = not c.maximized_vertical
    end),
    It should be
    clientkeys = awful.util.table.join(
    awful.key({modkey,}, "f", function(c) c.fullscreen = not c.fullscreen end),
    awful.key({modkey, "Shift"}, "c", function(c) c:kill() end),
    awful.key({modkey, "Control"}, "space", awful.client.floating.toggle),
    awful.key({modkey, "Control"}, "Return",
    function(c) c:swap(awful.client.getmaster()) end),
    awful.key({modkey,}, "o", awful.client.movetoscreen),
    awful.key({modkey, "Shift"}, "r", function(c) c:redraw() end),
    awful.key({modkey}, "t", awful.client.togglemarked),
    awful.key({modkey,}, "m",
    function(c)
    c.maximized_horizontal = not c.maximized_horizontal
    c.maximized_vertical = not c.maximized_vertical
    end)
    I had the same problem and this fixed it.

  • Dynamic Link between Premire Pro and AE not working

    I've been having this issue where dynamic link is grayed out in the Premiere Pro menu, when i try to link a clip to AE. It's the same the other way round (i.e. AE to Premiere), and also the "Replace with After Effects Comp" is grayed out as well. Im using the CC version (Not CC 2014), so it should work?
    Thanks for your help!

    Hi Kevin,
    Thanks for your reply. I'm using CS6 (if that's what you mean by version - otherwise I think it's 7.0). I've never come across verifying the programs, how do I go about it?
    Thanks

  • Dual Monitors with GPU and Motherboard not working

    Hey guys, just wondering if anyone else could help me out.
    So, I decided to hook up an old monitor of mine to my rig today and, lo and behold, the monitor isn't being detected by my computer.
    I've already got a monitor running through my GPU (NVidia GTX 960) via DVI.
    Currently tried connecting my second (old) monitor to my motherboard with DVI as well, but it isn't being detected.
    I went into my bios and forced my integrated graphics on, but when I checked in the device manager, it said my VGA graphics adapter "Cannot start (Error Code 10)"
    Also tried updating VGA graphics adapter drivers, but I had the latest drivers already.
    I'm not sure if that's related to the issue, but I thought it'd be worth mentioning.
    (What's also worth mentioning is that I'm a complete casual when it comes to computer building and such, lol)
    Motherboard is a Gigabyte F2A88XM-HD3, supports VGA, DVI and HDMI. 
    Monitor that I'm trying to connect supports both DVI and VGA. 

    A lot of the 960's don't have 2 DVI's. However most have an additional HDMI and DisplayPort. I recommend you get an adapter from amazon or something. Just make sure that it will convert HDMI or DP to DVI. Usually amazon products have a good amount
    of questions already answered by buyers.
    Interesting that they'd go that route, I guess I just assumed since my 760 has two.
    I've set up dual monitors using one DVI and one HDMI before, but I ran into issues with screen sizing. Despite having two identical monitors set at the same resolution the mouse would not transmit over to the second monitor at the same height as it was on
    the first, so I had to buy an adapter like Joshua suggested.

  • Backing up system with Recovery and Repair not working

    I have a Lenovo 3000 N500 4233-52u and I am trying to create a back-up with R & R. When I click on Back-Up Now nothing happens. Also, I can't find where to set the schedule for back-ups.
    Do I have to re-install R & R ? If so which version should I install.
    Thanks in advance for your help.
    Bill

    Kate,
    Are these purchases not in your iTunes library?  Content such as music, movies, apps, etc. are not included in the backup of your iPod.  These all need to be transferred to your iTunes library seperately by choosing File -> Transfer Purchases with your iPod Touch still connected.
    See this article about redownloading your missing purchases.
    http://support.apple.com/kb/ht2519
    B-rock

  • Home sharing with IMac and applet  not working

    Sharing is turned on my IMac.  My Apple TV is on and can see the name of the IMac. The iMac has photos selected but they don,t display on the Tv.   I have verified the IMac has most recent version of ITunes. Been through TS guide, no luck. Apple TV says to turn home sharing on but it is already on. Any suggestions.

    I have 2 Apple TV 2s.  I updated one to the latest iOS and it immediately lost the connection to my home shared iMac.  A week later I updated the second ATV2 and it immediately lost the connection, BUT I regained the connection with the first ATV2 I had updated earlier.  The second still won't connect even after exhausting EVERY solution numerous times and the setting on both ATV2s are identical.  Hoping the next iOS ATV update solves the problem.

  • Keyword filtering with 'all' and 'any' not working

    Hi folks,
    At the moment I'm testdriving Aperture 1.5.3, and it seems that when filtering on multiple keywords the logical connection 'any' or 'all' doesn't work.
    For instance, the filtersetting is 'Match all of the following:'
    [checked] Yosamite Sam
    [checked] Bugs Bunny
    [unchecked] Daffy Duck
    This would mean I should see all pictures tagged with both the keywords 'Yosamite Sam' AND 'Bugs Bunny'. In stead of that, the result of the filter is all pictures tagged with 'Yosamite Sam' OR 'Bugs Bunny' OR both.
    Is this a known issue and is already a fix for this?
    Greetz,
    Seeta

    I had the same problem when I started using Aperture. The 'Match all/any of the following' is referred to the different searching options (by date, by keyword, by rating...)
    If you need to search for images with all or any of the keywords ticked use the 'contain one or more of the following' or 'contain all of the following' beside the keyword title on the searching window.

  • I have macair bought 2009. Bluetooth connect with mouse and keypad not working. It used to work. Batteries are good. Green light flashes on each device, but no connection. Any suggestions to help me here? Thanks.

    Dear Community,
    I have a macbook air bought new in 2009. Since 2011 I only use it occasionally as I  now mainly use my iMac. The mouse and keyboard that came with the macbook air used to work fine with bluetooth connection to the macbookair, but now they don't. The batteries are good. The green light flashes showing it is seeking other bluetooth device to connect to. But they wont connect to my macbookair. What could the problem be? Your help would be much appreciated.

    Thanks for that. Yes I checked that already and BT enabled. Yes, external keyboard. But I just moved the computer to different part of room and bingo the devices paired and connected. So problem now solved. Thanks for offering your help.

Maybe you are looking for