Dynamic VLAN on Access Point using RADIUS
Hi.
I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
I have configured the attributes on radius as per documentation;
* IETF 64 (Tunnel Type)—Set this to VLAN.
* IETF 65 (Tunnel Medium Type)—Set this to 802.
* IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
Each time I connect the VLAN just defaults to the native VLAN for the SSID
I think it may be impossible without WLC!
HELP!!
From what I found when using MBSSID it appears you cannot use dynamic VLANs.
However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work.
Similar Messages
-
ACS with Dynamic VLAN which protocol to use ??
Hello,
Which Protocol do I need to use, for providing dynamic VLAN to my desktop machines?
As in ACS 4.0 if I use local database of ACS then users successfully get the dynamic VLAN & as soon I use AD database while integration it with ACS ,the authentication fails!!
Please help.Hi,
Thanks for the reply. I am using EAP-MD5.
However, the problem is if I am using ACS solution Engine local database, users are getting dynamic VLAN after authentication.
But when I use AD as user database, the authentication fails. Even strange thing is that if I use AD database to log in to any Cisco Router then the authentication is working fine.
Even I am struggling with TAC also from last week in two different cases! However, they are unable to help! I found TAC has limited resource for ACS.
So please suggest what to do as on Cisco site, I found lots of stuff for Wireless but I have only the desktops (no wireless).
So will the mention below URL be of any help?
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
Thanks in advance
Vijay -
Scale out file server client access point using public nic
Thoughts on this one.
I have a Scale Out File Server cluster with a Client Access Point. Whenever i talk to the Client Access Point it uses the public nics.
If i talk to the Scale Out File Server directly it uses the private like i want it to. How can i get the Client Access Point using the private nics?Hi JustusIV,
Could you tell us why you want to modify the CAP use the “private” network, the CAP is used for client access, your clients may can’t access your cluster if modify your CAP
use private network, if you want know how to modify the CAP of a cluster you can refer the following KB:
Modify Network Settings for a Failover Cluster
http://technet.microsoft.com/en-us/library/cc725775.aspx
More information:
Understanding Access Points (Names and IP Addresses) in a Failover Cluster
http://technet.microsoft.com/en-us/library/cc732536.aspx
Windows Server 2008 Failover Clusters: Networking (Part 4)
http://blogs.technet.com/b/askcore/archive/2010/04/15/windows-server-2008-failover-clusters-networking-part-4.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
How to add second access point using coax
I have FIOS with the coax line split out of the main fios box. One split goes to room A that has the Actiontec router and a STB. The other line goes into room B where there is just a STB. I have poor wireless signal in room B and I would like to add a second access point. I've read up on the devices that try to amplify your signal and see that they tend to reduce speeds, so this does not seem like a viable option. Because of my building arrangement, I can't do any sort of new wiring.
I'd like to try to minimize how much configuration I have to do and even if it means paying a bit more to do so. From what I can tell, I could split the coax in Room B and plug in an ActionTEC ECB2200. But, this would only give me a ethernet connection. If I plug in a second router via that ethernet connection, would that give me a second access point? Would I need to set up the second router in bridge mode? If this is the case, would it just make sense to plug the second router in without the ActionTEC ECB2200 in bridge mode from the coax input?
Thanks in advance.
BT
Solved!
Go to Solution.sabretd wrote:
Actually I just came across this link, which I think explains what I need to do as item 2:
http://www.dslreports.com/faq/15984
Yes, this is Section 3.2 in the link I provided earlier.
sabretd wrote:
My only question is, when starting the process and performing the following:
2.1) You will need to reconfigure the remote router, BEFORE you connect it to the coax.
Perform a hard reset on the Actiontec to restore factory defaults.
Connect a PC to a LAN port of the Actiontec.
By default, DHCP server should be enabled on the Actiontec, so no need to set a static IP address on the PC.
Login to the router at 192.168.1.1
How do I connect the primary and secondary actiontec? Do I disconnect the primary and plug the secondary into coax and do all this, and then when finished plug the primary back in? Or, do i Ieave the primary plugged in the whole time?
First you set up the secondary router by connecting it to any computer using an Ethernet cable. Assuming you have reset the device, go to 192.168.1.1 and make the necessary changes in router number two.
Leave the primary router alone (unless you decide on a scheme with a fixed IP for the second router) and it will supply an IP to router two, which will serve as a simple wireless access point. Detailed settings and a step-by-step cookbook procedure are provided in the references given above. Good luck. -
How to set WNDR4000 as an access point using Linksys EA8500
New member.I have looked through the messages and found quite a few on access points but either I don't understand them or the topic is not the same.I had a Netgear R7000 which died and I now have a Linksys EA8500. I am getting good speed through it and am on Comcast cable.The WDNR4000 was set up as a access point on my Netgear and worked fine. It is hard wired to my router through a switch.I can see it on my Linksys network but can't understand how to allow it as an access point / internet access. I can connect a device to the WNDR4000 but there is no internet.I have the MAC address for the WNDR4000. Thanks in advance to the group. rick
Thanks again.Here are more details.My Linksys router's IP is 192.168.1.1. No problem logging in to it.IP range is 192.168.1.100 192.168.1.14950 max connectionsNo static DNSNetgear AP is 192.168.1.100 and it is static.(I can change the range per other reply to start at 101) NAT is enabledDynamic routing not enabledNo static routingVLan off Internet settingsDHCP auto configOptional Name: badMTU > AutoMac Address Clone: not enabled Cable info:Linksys router - port 4 connected to my Airlink 101 1000M switch. Airlink 101 > plugged into port 15 x 10/100/1000Mbps Auto MDI/MDI-X Gigabit Ethernet portNetgear WNDR400 > plugged into Internet port When I try to connect to the Netgear using 192.3168.1.100 it cannot connect.Not Found > Web Server at airlink101.comI may need to connect the netgear directly to my laptop and try to access its UI. As I mentioned it shows up in my Network on the Linksys. I was able to connect a laptop wirelessly to it but it has no internet. I hope this helps.thanks againrick
-
SSIDs and VLAN on access points
The commands to map an SSID to a VLAN on an IOS access point are basically like this:
[snip]
dot11 ssid MYSSID
vlan 5
interface Dot11Radio0
ssid MYSSID
interface Dot11Radio0.5
encapsulation dot1q 5
bridge-group 5
interface FastEthernet0
interface FastEthernet0.5
encapsulation dot1q 5
bridge-group 5
[snip]
My question is this: what does the command "vlan 5" actually do? Does it map MYSSID to bridge-group 5, which is then mapped to 802.1q tag 5 by the subinterface configurations (so that the tag number is arbitrary), or does it map MYSSID to 802.1q tag 5 on the radio interface, which is then bridged to the appropriate dot1q subinterface on the wired side by the bridge group (so that the bridge group number is arbitrary)?Vlan tag is tied to SSID and Bridge group is also tagged to appropriate vlan mentioned as bridge group number
-
Management vlan on access point
Hello
If I connect my access point (1130) to a switch trunk port (because I need different VLANs on different SSIDs) how can I define on which VLAN the APs IP address is?
Must it be the native VLAN? If so, where do I have to define it?
Thanks
Thomasyou will need to add the management ip on the native vlan via BVI1
interface BVI1
ip address 172.16.10.28 255.255.255.192
no ip route-cache
do a conf t
then in bvi1
ip add xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
where x is the IP and y is the netmask -
Installing a Linksys Access Point using a Mac
I apologize for this topic being irrelevant to AirPort, but I am hoping someone can help...
I am a University student and trying to help my friend who lives in a dorm. At school there is a high speed local network and internet connection (I'm guessing massive amounts of T1s or T3s)... Left behind by a previous roommate is a Linksys WAP54G v2.0 which is a wireless access point NOT a router...I am told that it used to work, but one day stopped...
I have already reset the WAP (as they call it not to be confused with cell phone browsers)...now the name displays the default "linksys" title. I plug it in to the ethernet jack and "You are not connected to the internet" according to Safari...
my question is... how do you access the settings for the WAP.... on MY DSL modem and gateway, for example i type in 192.168.0.1 and I have also set this up with Mac OS X for a gaming adapter but i simply cannot figure out the IP address for this router and the Network Preferences to use when I plug the Linksys WAP into my computer. (I tried the default suggestion in my browser 192.168.1.245 but no luck, do I need to enter this in the Network panel of my System Prefs?)
I do not have the original setup and install CD available, and if I did, we only use Mac OS X... so does anyone have any ideas? Also... is it even possible to use a "Wireless Access Point" as opposed to a Router on a University campus (High speed LAN connected to WAN)? I don't know how it works with the DHCP... I would like for 3 people to be able to use this access point simultaneously.
Thank you for any help in advance!Linksys WAP54G v2.0 which is a wireless access point NOT a
router...I am told that it used to work, but one day
stopped...
It may be dead so this may be futile...
From the Linksys product page it doesn't seem to support web configuration and the only way is with their PC utility. That means if you don't have VirtualPC you will need a PC.
I have already reset the WAP (as they call it not to
be confused with cell phone browsers)...now the name
displays the default "linksys" title. I plug it in to
the ethernet jack and "You are not connected to the
internet" according to Safari...
The WAP will need to get an IP from the campus DHCP bridged to your laptop and they probably changed the system to not allow wireless bridges. Does the laptop work when plugged into the dorm jack with ethernet? Did you have to register the MAC address? Can you register the MAC address of the wireless card instead of the ethernet?
is it even
possible to use a "Wireless Access Point" as opposed
to a Router on a University campus (High speed LAN
connected to WAN)?
It all depends on their policy. Have you asked them?
I don't know how it works with the
DHCP... I would like for 3 people to be able to use
this access point simultaneously.
Usually they allow one MAC address per ethernet jack and keep control of it so you can't share it! Depending on their sophistication they may also detect rogue access points. If not you might be able to use a wireless router like an Airport Express. Ask them. There may be a hackers way around but that answer won't be found here. -
Cannot determine MAC address of connected Access Point using Access Connections version 5
I recently installed the newst version of Access Connections (version 5) and discovered I am unable to determine the MAC address of the connected access point. The 'Graphical' screen shows the SSID, IP address of client etc - but does not show the MAC address of the access point. The 'Details' screen shows the MAC address of the access points - but the radial button on the left does not indicate the cfurrently associated access point.
Is it the switch where the node is directly connected ?
Is the NIC at node side, working fine ?
Another fact to consider is, a mac will wipe itself out after the MAC-age timeout.
Parvesh -
Hi,
I have three AP but one one is connected with a network cable and the other work on a repeater mode.
I need to create two vlans which will broadcast two ssid one for office and one for guest. I know you can't create multiple vlan on a repeater but is there any way round then with only one AP which connected to the network and other working in repeater mode?
ThanksYou can probably is you configure one radio as a repeater and the other radio for client access, but they will be placed on the same subnet which is your native vlan. I'm not 100% sure that would work anyways, but I know you can't separate the traffic.
Thanks,
Scott Fella
Sent from my iPhone -
802.1x access points using ISE for trigger
We are deploying AP's with 802.1x ports. We do not want ot have static AP ports. When plugged into a switch port with 802.1x configured the AP does not kick up the smart port trigger. How do I link the trigger from ISE to send the response for the trigger on the swutch to reconfigure the switchport for an AP?
thanks,Hello,
Please check this link for "802.1x using Cisco ISE", it may help you in this.
https://supportforums.cisco.com/docs/DOC-29409 -
Connecting guest to access points using wpa
Hi all
is it possible to get my wireless clients to connect without a wpa password, for guest logins ?Hi There
how will my wireless connect when using webauth, does that mean the traffic is unencrypted ??
will my pc automatically connect to the wireless when there is no auth set on the controller ?
cheers
Carl -
Cisco Prime LMS 4.1 - Do access points use up a node count license?
Hi Everyone,
I wish to purchase Cisco Prime LMS 4.1, particularly Cisco part # R-LMS-4.1-500-K9 which support 500 Cisco nodes.
We have about 360 Cisco switches/routers/ASA/FWs/WLCs so the 500 nodes license would seem to suffice for now & for future growth.
We also have about 200 lightweight APs that are managed & monitored by our WLC/WCS/Navigator environment.
According to the device support documentation for LMS, it supports and I assume will auto-discover these APs.
Does that mean these APs will use up node licenses on LMS even though management of the APs is done by WLC/WCS? If so is there an easy way to suppress discovery of APs by LMS so we don’t have to purchase extra node licenses for LMS? Or, does LMS offer additional support features for wireless APs not already offered by WLC/WCS/Navigator?
Just trying to understand how many network node licenses for LMS I have to purchase.
Thanks in advance for your help,
Ian.Thanks but I just heard back from my Cisco SE and he assures me that an AP will NOT use up a license.
I've asked him to verify his answer for me.
Is your answer based on real world expereince (the best there is)? That is, are you running Prime LMS 4.1 and does it indeed use up a license for each light-weight AP it discovers & manages?
Thanks for mentioning options 1-3 but I do not wish to employ any of them. I don't mind buying the additional licenses for APs ... I just need to know if I have to or not.
Ian. -
P1102w 'unable to communicate with any wireless router or access point using the provided SSID
For more than a 1 1/2 years I have been able to print wirelessly. Prior to getting all set up, I was getting this message and had difficulty with the setup. At that time I was under warrantly, I was able to get help from HP. However, it took techs a very long time to figure out why I was receiving this message. I somewhat recall doing something in the control panel and checking the SSID and password.
I recently received a new wireless router and now my printer does not work wirelessy. I can't figure it out!!
Anyone having the same probelm?Replacing your wireless router try here.
http://www.hp.com/global/au/en/wireless/reconfiguring-system-help3.html
Say thanks by clicking the Kudos Thumbs Up to the right in the post.
If my post resolved your problem, please mark it as an Accepted Solution ...
I worked for HP but now I'm retired! -
Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points
Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps
Maybe you are looking for
-
How to reactivate the free trial after canceling? I found it 30 days only so i cancelled it, then try to subcripe for it again using the msdn subscription to get the 90 days trails but i got the error: Free Trial is not available. You already used yo
-
duplicate file name was specified...... windows 8 and itunes 11...... won't let me sync..... what do i do ?
-
Script Error report when trying to "Find Album Info" for music in Windows Media Player
When I click on "Find Album Info" in Windows Media Player, it finds the correct media info. But when I click "Finish" after verifying everything is correct, it says "An error has occurred on this script page" and asks if I want to continue. I click y
-
How do i convert pdf file to word (i have installed microsoft word on my mac) . thanks
Hi How can I convert pdf file to word ( I have installed microsoft word on my mac) please advise Thank You
-
Adobe reader install Error 1321: The Installer has insufficient privileges
need your help for issue try to download install adobe reader and so following intruction but displayed adobe reader install Error 1321: The Installer has insufficient privileges and also my laptop was had install adobe reader displayed on my deskto