Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

Similar Messages

• WLC- dynamic Vlan assignment with Radius

  Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
  I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
  It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
  Could you please help me?

  There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• 802.1x dynamic VLAN assignment with Radius NPS Server

  I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
  I have followed this documentation,
  http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
  that basically says to use these Radius attributes,
  Tunnel-Medium-Type : 802
  Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
  Tunnel-Type  : VLAN
  There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
  and I have also tried that,
  cisco-avpair= "tunnel-type(#64)=VLAN(13)"
  cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
  My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
  Anybody know how to get dynamic VLAN assignment working with NPS?
  NPS on Win 2012 R2
  Domain controller separate Win 2012 R2 server
  Cisco 3550 switch

  Hi All, Can any one guide me to
  configure 802.1x with acs 5.0. Its totally new look and m not able to
  find document related to 802.1x.Thanks
  Hi,
  Check out the below link on how to configure 802.1x and ACS administration hope to help !!
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
  Ganesh.H

• Dynamic vlan assignment with 1242AG and IAS not working

                     I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine.  I've tried everything I can think of.  Any suggestions?
  IAS and AD is running on Windows Server 2003
  Everything works fine except the vlan assignment.  Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
  PEAP is the authentication method, using MS-CHAP v2.  Naturally I have the attributes in the policy set appropriately, ie:
  Tunnel-Medium-Type > 802
  Tunnel-Pvt-Group-ID > vlanid
  Tunnel-Type > VLAN
  On the AP:
  Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
  I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
  Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

  Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
  I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
  I see I don't have that line "aaa authorization network default group rad_eap",
  So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
  Thanks,
  Jason

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• Dynamic vlan assignment with openldap

  Hi,
  I have a scenario where my customer has an ACS 5.2 and couple WLCs. the customer has also a openldap database and needs to do dynamic vlan assignement for his wireless user against this database. I know that for Active directory it works, please advise if it does as well for openldap and how?
  Regards,

  No it doesnt work if you are using mschap v2 here is a grid of the supported eap based protocols and the directory services:
  You can find this information here:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1045863
  Hope this helps.

• Dynamic VLAN-Assignment from RADIUS with Aironet 1242AG doesn't work properly

  Hello All,
  our setting is to assign VLANs dynamically from RADIUS (freeradius) to Clients connected to the 1242 Access-Points with one SSID. We have Firmware
  12.4(10b)JA/JDA on the Aironet 1242.
  The clients should be connected to one of three VLANs - one for staff, one for students and one for guests. I use the Web-Interface of
  the 1242, because I'm not very familiar with IOS cli.
  After assigning the first VLAN to the SSID -> click Accept, assigning the second VLAN to the SSID (overwriting the previous one) -> click Accept,
  assigning the third VLAN to SSID (overwriting again) -> click Accept,  the assignment of VLANs works really fine,
  (the only thing i change on the page is VLAN, the SSID is set to mandatory WPAv2)
  BUT...
  when the 1242 is rebooted (due a building power off or similar) it doesn't work anymore. Clients end up in an endless authentication loop.
  After doing the procedure again from above - assigning all VLANs sequently once, it works fine again !  till next reboot...
  All VLANs have same encryption, cypher, TKIP+AES CCM. On the Cisco-Site I found a command, which i also tried with no success:
  'aaa authorization network default group radius'.
  I also tried to save the working config and load it into the 1242 again, this also did not work.
  It seems that i'm doing something wrong, but what ?
  Thanks for some help,
  Frank

  All you really need to do is make sure the subinterfaces/vlans are created for each VLAN you need, then have radius push down IETF attributes 64, 65, and 81.

• Dynamic vlan assignment with single SSID

  Hi All,
  I have 300 APs deployed  and  concurrent client associations that number 3000+ daily
  at the moment I have a single subnet for all users, there is no authentication just a click through
  page with email entry to gain access.
  The APs are assigned to groups based upon the building zone they are in, is it possible to
  assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
  TIA

  You can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
  In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
  Sent from Cisco Technical Support iPhone App

• Radius local server and wireless access points

  Hello to all,
  I would like to ask a question related to radius server. I have a Allied telesis core switch and i configure the radius server locally, also i configure the port1.0.7 for dot1x and i am using dynamic vlan. If i connect my laptop to port 1.0.7 i can get the correct ip from the dhcp server. If i connect an access point to the same port , how i should configure the dot1x ? for multiple hosts? I know i am using allied telessis but the config is very similar to the cisco: take a look:
  (Radius and nas config)
  radius-server host 127.0.0.1 key awplus-local-radius-server
  aaa authentication dot1x default group radius
  aaa authentication auth-web default group radius
  crypto pki trustpoint local
  crypto pki enroll local
  radius-server local
  server enable
  nas 127.0.0.1 key awplus-local-radius-server
  group Andrew
    attribute NAS-Identifier andrew
    attribute Tunnel-Medium-Type IEEE-802
    attribute Tunnel-Private-Group-Id 10
    attribute Tunnel-Type VLAN
  user andrew encrypted password wh8q0J2oYSn0y4cynksNCqfbaUtRGv/E6JaJrW+s3Zs= group Andrew
  (port config)
  interface port1.0.7
  switchport
  switchport mode access
  auth-web enable
  dot1x port-control auto
  auth host-mode multi-supplicant
  auth dynamic-vlan-creation
  I tried with auth-web and without but no luck. If someone have a sample config how to configure the dot1x to be able to use access point please paste it.
  Thanks
  Andrew

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• SG300-28P and aironet access points

  Dear support,
  does Cisco SG300-28P provide enough PoE to power access points 1550 and 1600?
  Thank you

  Hi Mireille, it should. The 1550 is 802.3af compliant.
  The 1600 may be interesting because it can actually draw up to 15.4 watt of power and you may run into limitations of cable. It is also 802.3af compliant.
  -Tom
  Please mark answered for helpful posts

• 802.1x dynamic vlan assignment with acs5.0

  Hi All, Can any one guide me to configure 802.1x with acs 5.0. Its totally new look and m not able to find document related to 802.1x.
  Thanks

  Hi All, Can any one guide me to
  configure 802.1x with acs 5.0. Its totally new look and m not able to
  find document related to 802.1x.Thanks
  Hi,
  Check out the below link on how to configure 802.1x and ACS administration hope to help !!
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
  Ganesh.H

• WDS with Airport Express and 3COM Access Point

  3CRWE454A72/WL 526
  Runtime Code Version: 1.00 Dec 11 2003
  Boot Code Version: V.2.25
  Can this work?
  Sorry if this question is not new
  Regards,
  Andre Peternell
  Germany
  PB G4   Mac OS X (10.4.8)  

  - another Airport Express
  - an Airport Extreme Base Station
  - a Linksys WRT54G or WRT54GS
  - a Belkin Belkin F5D7230-4 and F5D7231
  - one specific model from SMC
  - one specific model from Buffalo
  - BT Voyager 2091
  For wireless routers not on this short list - not possible.
  In particular, it will not work with any WiFi routers from D-Link or Netgear.

• Dynamic VLAN assignment on SG300

  Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
  The RADIUS user attributes used for the VLAN ID assignment are:
  IETF 64 (Tunnel Type)—Set this to VLAN.
  IETF 65 (Tunnel Medium Type)—Set this to 802
  IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
  I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
  Radius:IETF:Tunnel-Medium-Type     6
  Radius:IETF:Tunnel-Private-Group-Id     4
  Radius:IETF:Tunnel-Type     13
  is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
  07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
  Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
  Thanks,
  Aaron

  Hi Aleksandra,
  Here are the values from a packet capture of the Access-Accept message:

• Cisco WLC5508 Dynamic VLAN assignment error

  Hi All,
  We have a HA (SSO) WLC controller pair in two DC's with the Management Interface managing the AP's. The AP's are located in the Campus LAN and the Campus and DC networks are seperated by a L3 boundary.
  The plan is for one of the WLAN's to provide Dynamic VLAN Assignment via radius as a test I wanted to use the existing Management interface to bind to the WLAN, but since working through the following Document ID: 71683 one thing I noticed whilst working through the the document states that "it is required that the VLAN-ID configured under the IETF 81 (Tunnel-Private-Group-ID) field of the RADIUS server exist on the WLC"
  If the above statement is true and we don't stretch VLAN's between the Campus LAN and the DC network due to the L3 boundary does this mean that Dynamic VLAN assignment won't be achievable?  When testing a client connection and debugging the result I receive the following:-
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a [BE-resp] AAA response 'Success'
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a [BE-resp] Returning AAA response
  *radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA Message 'Success' received for mobile 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[0]: attribute 11, vendorId 0, valueLen 11
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[1]: attribute 64, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[2]: attribute 65, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[3]: attribute 81, vendorId 0, valueLen 2
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[4]: attribute 8, vendorId 0, valueLen 4
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[5]: attribute 79, vendorId 0, valueLen 40
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a Received EAP Attribute (code=2, length=40,id=64) for mobile 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000000: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000010: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000020: xxxxxx
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[6]: attribute 1, vendorId 9, valueLen 16
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[7]: attribute 25, vendorId 0, valueLen 25
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[8]: attribute 80, vendorId 0, valueLen 16
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA override: Dot1x Authentication PMIP Client AAA Override Enable
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA override: Dot1x Authentication, default MPC configuration
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a Tunnel-Type 16777229 should be 13 for STA 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.116: [PA] 10:40:f3:84:a2:2a Tunnel-Group-Id 9 is not a valid VLAN ID for STA 10:40:f3:84:a2:2a
  *Dot1x_NW_MsgTask_2: Jan 15 13:26:23.116: [PA] 10:40:f3:84:a2:2a Received Session Key from AAA Server for STA 10:40:f3:84:a2:2a.
  I've sanitised some of the debug output to protect the username but the net result is no IP address assigned to the client and unable to connect to the network.
  Would appreciate any guidance as to whether the Wireless Client VLAN's need to be interfaces on the WLC in order to work or whether the likes of Flexconnect could alleviate the L3 boundary?
  Thanks in advance.
  Kind regards,
  Mark

  Hi All,
  After playing with Flexconnect I managed to get the dynamic vlan assignment working.
  Need to create the Flexconnect Group add in the AP's to the gorup and then select the ACL Mapping tab > AAA VLAN-ACL mapping and added in the VLAN of my VLAN that my Tunnel-Group-ID (VLAN ID) had assigned to me.
  Client connected and received the correct IP configuration.
  Thanks
  Mark

• 802.1x authetication with dynamic Vlan assignment by a radius server

  Hi
  At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
  When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
  I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
  What does work:
  - If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
  - When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 
  So far so good.
  But what doesn't work:
  - it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
  - I can not find the Guest VLAN.
  Any help would be appriciated.

  Hi Wouter,
  Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
  http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
  I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Aleksandra