Dynamic VLAN, should or should not?
Hi everyone,
My company have 1 Core Switch 6509, this core SW aggregate all access switch.
On the Core SW, I've configuration static IP such as: # arp IP_address MAC_address rarp
However, when the client move from access switch to another access switch, i must to change Vlan in access port.
It's very manually.
To improve the management, I think Dynamic VLAN.
But this solution require all access switch support VMPS, but all access switches in the network system's not support.
To implement this solution, it's require a large investments to purchase the new device.
Can any one advice me a suitable solution.
Thanks in advance!
HoiVN
Kindly check the following link for reference.
sample configuration link
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
Trouble shooting link
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html
Similar Messages
-
I purchased OS X Lion on my laptop and if I use the same username on my desktop it should just download not make me pay again, yet it is still saying "BUY APP" not "INSTALL." What do I do?
Hi...
How to re download apps from the Mac App Store:
Open the App Store. From the menu bar click Store > Sign In
Click Purchases from the top of the App Store window.
Select which apps you want to re download. Then right or control click where you see Installed then click Install.
Make sure and use the same Apple ID used for the original purchase.
Mac App Store: Backing up your app purchases -
when trying to use find my Iphone says off line , suggestion is to switch on and off airplane mode , so are you saying when you have your phone nicked you should leave a note for the thief to do this so we can trace him?
Ivorbiggin wrote:
so are you saying when you have your phone nicked you should leave a note for the thief to do this so we can trace him?
Yes. -
iphoto says it is running low on disc space. i should have plenty. not sure how to check my space or increase my space
In the finder select your hard drive and get info
LN -
have had my Iphone 5 since June. All of a sudden my other is 5.1GB and i'm almost out of space. How do i do i system restore , if thats what i should do and not loose by stuff
Hi jdbarrett1,
Thanks for using Apple Support Communities. This article has steps you can take for issues with "other" data taking up too much space:
iOS: 'Not enough free space' alert when trying to sync
http://support.apple.com/kb/ts1503
Cheers,
- Ari -
Apple pay is great feature introduced with the new iphone's. But for 5s users who are not gonna upgrade this year, apple is a requirement. Sure they can use it via apple watch. But apple pay with the online payment system can be used via the touch id, i feel.. Apple should make a note of this and enable it for users.
Probably not, as the 5s doesn't have NFC capability.
-
What should I take note when converting Servlets to JSPs files?
Hi Everyone,
I have a web application that currently runs using Servlets and JSP, but i intend to change every servlet file into JSP.
What should I take note?
Please advice and comment.
Thanks in advanceOk, I can see your logic, but I don't agree with it.
It may SEEM like you'll save time, but I'm pretty sure you wouldn't in the end.
So you don't have to restart the Tomcat server so much.
That still doesn't justify writing java code into a JSP.
Whatever you gain from not restarting the server you will lose 10 times over from stupid compile errors/typos that come from writing scriptlet code in a JSP.
Java code belongs in a java class, where you can take advantage of all of the assistance of the IDE for code completion, formatting, compiling, syntax checking etc.
Also if you write your code in classes, you can test them with Junit tests - something harder to do when your logic is embedded in JSPs
Write your java code where it is meant to be. In java classes. Beans/Servlets/whatever.
A JSP is for one purpose only - to produce an HTML page.
Just my 2 cents.
evnafets -
Dynamic vlan assignment does not work
Hello,
I have been trying to configure dynamic vlan assignment for the employee wlan. Trying to put the employee on vlan 20
Here are the components used
WLC: 2100 Software version: 7.0.240.0
AP: 3502I IOS version: 12.4 Mini IOS version: 7.0
Radius server: tried mutiple radius servers (rsa radius , free radius)
On the WLC:
1. Created a AAA server.
2. Along with management interface(vlan 10), configured dynamic interfaces (vlan 20, vlan 30)
3. AP manager interface is on vlan 40
4. Created WLAN assigned to management interface-- WPA2 (AES) , 802.1x
5. on AAA servers tab - checked authentication servers and assigned the AAA server. authentication priority order is set to only radius
Here, I have 2 options for radius overwrite.
one on the AAA servers tab
second on the Advanced tab
I have selected both. or one at a time
Ports between WLC and switch is a trunk
On the AP:
1. Local mode
2. Port between AP and switch switchport access - vlan 40
On radius server:
configured WLC's management interface as client
and assigned the following attributes
tunnel-type := vlan
tunnel-medium-type = ieee-802
tunnel-private-group-id = 20
When i try to authenticate with an iphone it is successful. But it puts me on the same interface as management interface (vlan10). When i do the packet capture i do see the access-accept but i dont see the attributes.
when i use a radius test utility against the radius server I do receive all the attributes.
Im a newbie on this. Iam i missing something here? any help will be much appreciated.Kindly check the following link for reference.
sample configuration link
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
Trouble shooting link
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html -
Dynamic vlan assignment with 1242AG and IAS not working
I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. Any suggestions?
IAS and AD is running on Windows Server 2003
Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately, ie:
Tunnel-Medium-Type > 802
Tunnel-Pvt-Group-ID > vlanid
Tunnel-Type > VLAN
On the AP:
Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
I see I don't have that line "aaa authorization network default group rad_eap",
So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
Thanks,
Jason -
Hello ladies and gentlemen,
I am using several SG300-28 Switches with firmware version 1.1.2.0.
I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
Authentication is only based on the MAC address. (I configured that on the switches)
On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
This is happening randomly on nearly all my PCs.
I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
Thank you very much for your help!
Regrads
Alexander WilkeThis is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
2147483395
2012-Aug-09 21:40:05
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483396
2012-Aug-09 21:38:23
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483397
2012-Aug-09 21:38:23
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483398
2012-Aug-09 21:16:05
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483399
2012-Aug-09 21:13:42
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483400
2012-Aug-09 21:13:42
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483401
2012-Aug-09 21:04:04
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483402
2012-Aug-09 21:03:50
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483403
2012-Aug-09 21:03:50
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483404
2012-Aug-09 20:52:02
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483405
2012-Aug-09 20:49:02
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483406
2012-Aug-09 20:49:02
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483407
2012-Aug-09 20:40:04
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483408
2012-Aug-09 20:39:10
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483409
2012-Aug-09 20:39:10
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483410
2012-Aug-09 20:16:06
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483411
2012-Aug-09 20:14:29
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483412
2012-Aug-09 20:14:29
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483413
2012-Aug-09 19:28:01
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483414
2012-Aug-09 19:25:08
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483415
2012-Aug-09 19:25:08
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483416
2012-Aug-09 19:15:59
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483417
2012-Aug-09 19:15:16
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483418
2012-Aug-09 19:15:16
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483419
2012-Aug-09 19:04:00
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483420
2012-Aug-09 19:00:27
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483421
2012-Aug-09 19:00:27
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483422
2012-Aug-09 18:27:59
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483423
2012-Aug-09 18:25:55
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483424
2012-Aug-09 18:25:55
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
Any ideas ? -
WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment
WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation. This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem Cleartext-Password userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{ default_eap_type = peap ..... }
tls {
#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
default_eap_type = mschapv2
#you will have to set this to allowed the inner tls tunnel attributes into the final accept message
use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{ ldap mschap ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" \#If you want to verify the Server certificate the below would be needed \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123 -
Vlans dhcp status are not received
Hello,
I am configuring vlan on sg300-20 in dhcp mode.
One vlan that is directed connected to the adsl router get ip address and when I connect host to the ports in this vlan they also receive ip address and can go on internet.
The other four vlans dhcp status are not received.
Kindly help me check this. Thanks
Below is the config log:
switch4ba497#sh running-config
config-file-header
switch4ba497
v1.2.9.44 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
vlan database
vlan 5,10,20,30,40
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp relay address 192.168.3.1
ip dhcp information option
no boot host auto-config
bonjour interface range vlan 1
hostname switch4ba497
line telnet
exec-timeout 0
exit
no passwords complexity enable
username cisco password encrypted 7af78c911d5b48bea1dc2449d9d89513abeb4be5 privilege
15
ip http timeout-policy 0 http-only
ip name-server 192.168.1.1 192.168.3.1
ip telnet server
interface vlan 1
ip address 192.168.2.254 255.255.255.0
no ip address dhcp
interface vlan 5
name WAN
ip address dhcp
interface vlan 10
name Studio
ip address dhcp
interface vlan 20
name Service
ip address dhcp
interface vlan 30
name Admin
ip address dhcp
interface vlan 40
name Data
ip address dhcp
interface gigabitethernet1
switchport mode access
interface gigabitethernet2
switchport mode access
switchport access vlan 10
interface gigabitethernet3
switchport mode access
switchport access vlan 10
interface gigabitethernet4
switchport mode access
switchport access vlan 10
interface gigabitethernet5
switchport mode access
switchport access vlan 10
interface gigabitethernet6
switchport mode access
switchport access vlan 10
interface gigabitethernet7
switchport mode access
switchport access vlan 10
interface gigabitethernet8
switchport mode access
interface gigabitethernet9
switchport mode access
switchport access vlan 20
interface gigabitethernet10
switchport mode access
switchport access vlan 20
interface gigabitethernet11
switchport mode access
switchport access vlan 20
interface gigabitethernet12
switchport mode access
switchport access vlan 20
interface gigabitethernet13
switchport mode access
switchport access vlan 30
interface gigabitethernet14
switchport mode access
switchport access vlan 30
interface gigabitethernet15
switchport mode access
switchport access vlan 30
interface gigabitethernet16
switchport mode access
switchport access vlan 30
interface gigabitethernet17
switchport mode access
interface gigabitethernet18
switchport trunk native vlan 40
interface gigabitethernet19
switchport mode access
switchport access vlan 5
interface gigabitethernet20
switchport trunk native vlan 5
switch4ba497#sh ip int
IP Address I/F Type Directed Precedence Status
Broadcast
0.0.0.0/32 vlan 10 DHCP disable No Not
received
0.0.0.0/32 vlan 20 DHCP disable No Not
received
0.0.0.0/32 vlan 30 DHCP disable No Not
received
0.0.0.0/32 vlan 40 DHCP disable No Not
received
192.168.2.254/24 vlan 1 Static disable No Valid
192.168.3.102/24 vlan 5 DHCP disable No Valid
switch4ba497#
Also i do not understand why the ip address is 0.0.0.0/32 because the dhcp server ip address is 192.168.3.1Dear Customer,
Thank you for reaching Small Business Support Community.
In Layer 2 system mode, only the management VLAN can be configured with a static or dynamic IP address. In Layer 3 system mode, all the interface types (ports,LAGs, and/or VLANs) on the device can be configured with a static or dynamic IP. Configuring the device to work in either mode is performed in the Administration >System Settings page
When a DCHP Client starts a discovery process, it assigns a dummy IP address 0.0.0.0 before the real address is obtained. This dummy address has the status of “Not Received”.
Pretty much your problem should be solved by changing to Layer3 system mode. Please let me know if anything comes up and/or if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
Dynamic VLAN assignment on SG300
Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
The RADIUS user attributes used for the VLAN ID assignment are:
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
Radius:IETF:Tunnel-Medium-Type 6
Radius:IETF:Tunnel-Private-Group-Id 4
Radius:IETF:Tunnel-Type 13
is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
Thanks,
AaronHi Aleksandra,
Here are the values from a packet capture of the Access-Accept message: -
Dynamic VLAN assignment and DHCP
Hello
I have just upgraded our WLC from 4.0 to 7.0 (via 4.2).
Before the upgrade we had our ACS returning a VLAN based on user group. This seemed to be working without an issue. Now that the WLC is on version 7 this is no longer working correctly. The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
Example configuration:
SSID-----VLAN
PN-CSC-----CSCVlan: Works
PN-Others------OthersVlan: Works
PN-Others-----CSCVlan: No DHCP
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?Yes, DHCP proxy could be the culprit here. In 4.0 it was only a CLI command to enable/disable the proxy feature. In 5.2, I think, and later it is in the GUI
as well.
There is a defect filed against the behavior of the WLC DHCP funtion out there currently. If all of your DHCP is coming from external resources than you can disable proxy. If, however, you are using the WLC as DHCP server for guest access, then proxy must be enabled. If the later is true, you should contact TAC, as there is an engineering special available that has the defect resolution.
Sorry I can't provide the defect ID, my CCO account is acting up.
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Flexconnect dynamic VLAN assignment doubt
Hi, all,
I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office, seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
Thanks,Hi ,
1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
Regards
Dhiresh
**Please rate helpful posts**
Maybe you are looking for
-
Opened Firefox this morning and it was like I had just installed it for the first time
What is going on with Firefox. Everything was fine last night. This morning I opened it to check the weather and what opened was a new Firefox asking me if I wanted to make it my default browser. All my bookmarks were there. All the add-ons were ther
-
Since the last upgrade, when the browser is open the mouse randomly clicks on things changes windows by itself. In addition highlighting things to cut and past is almost impossible... this transfers over to all open programs word, movie maker, audaci
-
DB13 whole DB online + redo log backup
Hi expetrs, I am using hp-ux with oracle with ECC6.0 and data protector. I ran DB13 whole DB online + redo log backup on tape and it ran successful on specified tape. But if i check data on tape via login on data protector it shows no data. Also i ch
-
Hi, Is it possible to add a mechanism to Weblogic which would intercept EJB lookups and requests (on a per bean and per method basis), and perform custom access control logic? This mechanism should be seamless and transparent to client code so that e
-
Hi there, I have some CGI shots that were delivered to me in Quicktime Animation with Alpha that I need to edit and return to the client in a similar format (with transparency). Premiere CC views the clips with Alpha just fine. As soon as I try to ex