Dynamic vlan

Similar Messages

• SG300-28 Firmware 1.1.2.0 and 1.2.7.76 - Dynamic VLAN+freeRADIUS - Client get rejected

  Hello ladies and gentlemen,
  I am using several SG300-28 Switches with firmware version 1.1.2.0.
  I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
  Authentication is only based on the MAC address. (I configured that on the switches)
  On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
  I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
  In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
  The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
  If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
  This is happening randomly on nearly all my PCs.
  I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
  Thank you very much for your help!
  Regrads
  Alexander Wilke

  This is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
  2147483395
  2012-Aug-09 21:40:05
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483396
  2012-Aug-09 21:38:23
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483397
  2012-Aug-09 21:38:23
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483398
  2012-Aug-09 21:16:05
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483399
  2012-Aug-09 21:13:42
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483400
  2012-Aug-09 21:13:42
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483401
  2012-Aug-09 21:04:04
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483402
  2012-Aug-09 21:03:50
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483403
  2012-Aug-09 21:03:50
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483404
  2012-Aug-09 20:52:02
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483405
  2012-Aug-09 20:49:02
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483406
  2012-Aug-09 20:49:02
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483407
  2012-Aug-09 20:40:04
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483408
  2012-Aug-09 20:39:10
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483409
  2012-Aug-09 20:39:10
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483410
  2012-Aug-09 20:16:06
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483411
  2012-Aug-09 20:14:29
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483412
  2012-Aug-09 20:14:29
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483413
  2012-Aug-09 19:28:01
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483414
  2012-Aug-09 19:25:08
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483415
  2012-Aug-09 19:25:08
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483416
  2012-Aug-09 19:15:59
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483417
  2012-Aug-09 19:15:16
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483418
  2012-Aug-09 19:15:16
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483419
  2012-Aug-09 19:04:00
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483420
  2012-Aug-09 19:00:27
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483421
  2012-Aug-09 19:00:27
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483422
  2012-Aug-09 18:27:59
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483423
  2012-Aug-09 18:25:55
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483424
  2012-Aug-09 18:25:55
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized    
  Any ideas ?

• WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

  WLC 5508: software version 7.0.98.0
  Windows 7 Client
  Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
  I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
  However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
  AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
  AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
  AVP: l=6  t=Tunnel-Type(64): VLAN(13)
  I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

  Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
  The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
  Install Packages
  1.  Install needed packages.
  yum install openldap*
  yum install freeradius*
  2.  Set the services to automatically start of system startup
  chkconfig --level 2345 slapd on
  chkconfig --level 2345 radiusd on
  Configure and start LDAP
  1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
  cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
  2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
  slappasswd
  3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
  useradd ldap
  groupadd ldap
  4.  Create the directory and assign permissions for the database files
  mkdir /var/lib/ldap
  chmod 700 /var/lib/ldap
  chown ldap:ldap /var/lib/ldap
  5.  Edit the slapd.conf file.
  cd /etc/openldap
  vi slapd.conf
  # See slapd.conf(5) for details on configuration options.
  # This file should NOT be world readable.
  #Default needed schemas
  include        /etc/openldap/schema/corba.schema
  include        /etc/openldap/schema/core.schema
  include        /etc/openldap/schema/cosine.schema
  include        /etc/openldap/schema/duaconf.schema
  include        /etc/openldap/schema/dyngroup.schema
  include        /etc/openldap/schema/inetorgperson.schema
  include        /etc/openldap/schema/java.schema
  include        /etc/openldap/schema/misc.schema
  include        /etc/openldap/schema/nis.schema
  include        /etc/openldap/schema/openldap.schema
  include        /etc/openldap/schema/ppolicy.schema
  include        /etc/openldap/schema/collective.schema
  #Radius include
  include        /etc/openldap/schema/radius.schema
  #Samba include
  #include        /etc/openldap/schema/samba.schema
  # Allow LDAPv2 client connections.  This is NOT the default.
  allow bind_v2
  # Do not enable referrals until AFTER you have a working directory
  # service AND an understanding of referrals.
  #referral    ldap://root.openldap.org
  pidfile        /var/run/openldap/slapd.pid
  argsfile    /var/run/openldap/slapd.args
  # ldbm and/or bdb database definitions
  #Use the berkely database
  database    bdb
  #dn suffix, domain components read in order
  suffix        "dc=cisco,dc=com"
  checkpoint    1024 15
  #root container node defined
  rootdn        "cn=Manager,dc=cisco,dc=com"
  # Cleartext passwords, especially for the rootdn, should
  # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
  # Use of strong authentication encouraged.
  # rootpw        secret
  rootpw      
  {SSHA}
  cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
  # The database directory MUST exist prior to running slapd AND
  # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
  # Mode 700 recommended.
  directory    /var/lib/ldap
  # Indices to maintain for this database
  index objectClass                       eq,pres
  index uid,memberUid                     eq,pres,sub
  # enable monitoring
  database monitor
  # allow onlu rootdn to read the monitor
  access to *
           by dn.exact="cn=Manager,dc=cisco,dc=com" read
           by * none
  6.  Remove the slapd.d directory
  cd /etc/openldap
  rm -rf slapd.d
  7.  Hopefully if everything is correct, should be able to start up slapd with no problem
  service slapd start
  8.  Create the initial database in a text file called /tmp/initial.ldif
  dn: dc=cisco,dc=com
  objectClass: dcobject
  objectClass: organization
  o: cisco
  dc: cisco
  dn: ou=people,dc=cisco,dc=com
  objectClass: organizationalunit
  ou: people
  description: people
  dn: uid=jonatstr,ou=people,dc=cisco,dc=com
  objectClass: top
  objectClass: radiusprofile
  objectClass: inetOrgPerson
  cn: jonatstr
  sn: jonatstr
  uid: jonatstr
  description: user Jonathan Strickland
  radiusTunnelType: VLAN
  radiusTunnelMediumType: 802
  radiusTunnelPrivateGroupId: 10
  userPassword: ggsg
  9.  Add the file to the database
  ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
  10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
  ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
  Configure and Start FreeRadius
  1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
  cd /etc/raddb
  vi ldap.attrmap
  For dynamic vlan assignments, verify the follow lines exist:
  replyItem    Tunnel-Type                                   radiusTunnelType
  replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
  replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
  Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
  checkItem    Cleartext-Password    userPassword
  2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
  eap
  {      default_eap_type = peap      .....  }
  tls {
      #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
  peap {
      default_eap_type = mschapv2
      #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
      use_tunneled_reply = yes
  3.  Change the authenication and authorization modules and order.
  cd /etc/raddb/sites-enabled
  vi default
  For the authorize section, uncomment the ldap module.
  For the authenicate section, uncomment the ldap module
  vi inner-tunnel
  Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
  authorize
  {      ldap      mschap      ......  }
  4.  Configure ldap module
  cd /etc/raddb/modules
  ldap
  {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
  5.  Start up radius in debug mode on another console
  radiusd -X
  6.  radtest localhost 12 testing123
  You should get a Access-Accept back
  7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
  First install openssl support libraries, required to compile
  yum install openssl*
  yum install gcc
  wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
  tar xvf wpa_supplicant-0.6.10.tar.gz
  cd wpa_supplicant-0.6.10/wpa_supplicant
  vi defconfig
  Uncomment CONFIG_EAPOL_TEST = y and save/exit
  cp defconfig .config
  make eapol_test
  cp eapol_test /usr/local/bin
  chmod 755 /usr/local/bin/eapol_test
  8.  Create a test config file named eapol_test.conf.peap
  network=
  {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
  9.  Run the test
  eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

• Dynamic VLAN assignments with ACS

  Hello all.
  I am trying to do dynamic vlan assignments with dot1x auth.  I am using ACS5.3 and Cisco 3560.
  I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
  aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
  When the user connects I get the following via debug:
  Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
  Any idea what config I'm missing?
  Thanks
  Paul

  Hello.
  Here is whats left in the log.
  Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.253: EAPOL pak dump rx
  Apr 30 15:19:36.253: EAPOL Version: 0x1  type: 0x0  length: 0x007B
  Apr 30 15:19:36.253: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
  Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.007b
  Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.278: EAPOL pak dump rx
  Apr 30 15:19:36.278: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Apr 30 15:19:36.278: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.002b
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.294: EAPOL pak dump rx
  Apr 30 15:19:36.294: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Apr 30 15:19:36.294: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.002b
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
  Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
  Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Hope that helps

• Dynamic VLAN, should or should not?

  Hi everyone, 
  My company have 1 Core Switch 6509, this core SW aggregate all access switch.
  On the Core SW, I've configuration static IP such as:    # arp IP_address MAC_address rarp
  However, when the client move from access switch to another access switch, i must to change Vlan in access port.
  It's very manually.
  To improve the management, I think Dynamic VLAN.
  But this solution require all access switch support VMPS, but all access switches in the network system's not support.
  To implement this solution, it's require a large investments to purchase the new device.
  Can any one advice me a suitable solution.
  Thanks in advance!
  HoiVN

  Kindly check the following link for reference.
  sample configuration link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
  Trouble shooting link
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

• FlexConnect, EAP-TLS and dynamic VLAN assignments

  I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
  I have some questions:
  - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
  - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
  - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
  Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

  I'll give this a shot:)
  For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
  The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
  64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
  You can find this by searching on Google.... A lot of examples out there
  v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
  Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
  FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
  Hope this helps.
  Sent from Cisco Technical Support iPhone App

• Dynamic VLAN on Access Point using RADIUS

  Hi.
  I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
  I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
  I have configured the attributes on radius as per documentation;
  * IETF 64 (Tunnel Type)—Set this to VLAN.
  * IETF 65 (Tunnel Medium Type)—Set this to 802.
  * IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
  Each time I connect the VLAN just defaults to the native VLAN for the SSID
  I think it may be impossible without WLC!
  HELP!!

  From what I found when using MBSSID it appears you cannot use dynamic VLANs.
  However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
  Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
  However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work.

• Dynamic VLAN/SSID assignment using 4402/MS IAS

  Greetings,
  In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
  This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
  We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
  Any input/information would be greatly appreciated.
  Joe

  Shaun,
  My LAG - etherchannel interface
  interface Port-channel8
  description WLC-portchannel
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  end
  My 2 WLC Fiber ports:
  Current configuration : 382 bytes
  interface GigabitEthernet7/47
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  2200-3A#sh run int g7/48
  Building configuration...
  Current configuration : 382 bytes
  interface GigabitEthernet7/48
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
  One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
  interface FastEthernet4/48
  description AP-PoE
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1-1004
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  end
  Jim

• Dynamic VLAN Assignment + NPS

  Hello,
  I'm planning a deployment with the following:
  5508 WLC running 7.0.222.0
  NCS 1.0.2.29
  50+ 3502i AP's
  Windows 2008 R2 running NPS
  EAP-TLS for authentication
  The end goal is to have a single SSID and utilize NPS to dynamically assign VLAN's depending on role/group.
  I've read several documents that use ACS to complete the dynamic VLAN assignment (inclduing http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml), however in this case ACS is not available.
  My question basically is; do I need ACS to apply the VSA for Cisco Airespace, or can this be done solely with the following IETF attributes using Microsoft NPS and AAA override on the WLC?
  [64] Tunnel-Type
  [65] Tunnel-Medium-Type
  [81] Tunnel-Pvt-Group-ID
  Any advice would be greatly appreicated!
  Thanks

  Thanks Steve for your quick response.
  I did everything as per your recommendation and it still doesnt work.
  Do you mind providing me a remote assistance, do you have Skype?
  Or your prefer that I provide you a set of logs, tell me which one and I will do so.
  SSID:TT
  @IP WLC: 172.20.252.70
  NPS: 172.20.1.16
  config rule NPS: service-Type: NAS Prompt
                           Tunnel-Type: VLAN
                           Tunnel-pvt-group-ID:10
                           Tunnel-Meduim-Type:802
  log WLC:
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processIncomingMessages: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processRadiusResponse: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Access-Accept received from RADIUS server 172.20.1.16 for mobile 8c:70:5a:1c:8e:20 receiveId = 4
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Processing Access-Accept for mobile 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Applying new AAA override for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Inserting new RADIUS override into chain for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Applying override policy from source Override Summation:
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 256, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Setting re-auth timeout to 1800 seconds, got from WLAN config.
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Station 8c:70:5a:1c:8e:20 setting dot1x reauth timeout = 1800
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Creating a PKC PMKID Cache entry for station 8c:70:5a:1c:8e:20 (RSN 2)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Adding BSSID 00:1e:be:a7:bf:b6 to PMKID cache for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: New PMKID: (16)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844:      [0000] 80 36

• Dynamic VLAN assignment on SG300

  Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
  The RADIUS user attributes used for the VLAN ID assignment are:
  IETF 64 (Tunnel Type)—Set this to VLAN.
  IETF 65 (Tunnel Medium Type)—Set this to 802
  IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
  I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
  Radius:IETF:Tunnel-Medium-Type     6
  Radius:IETF:Tunnel-Private-Group-Id     4
  Radius:IETF:Tunnel-Type     13
  is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
  07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
  Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
  Thanks,
  Aaron

  Hi Aleksandra,
  Here are the values from a packet capture of the Access-Accept message:

• Dynamic VLAN assignment and DHCP

  Hello
  I have just upgraded our WLC from 4.0 to 7.0 (via 4.2).
  Before the upgrade we had our ACS returning a VLAN based on user group.  This seemed to be working without an issue.  Now that the WLC is on version 7 this is no longer working correctly.  The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
  Example configuration:
  SSID-----VLAN
  PN-CSC-----CSCVlan: Works
  PN-Others------OthersVlan: Works
  PN-Others-----CSCVlan: No DHCP
  When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
  Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?

  Yes, DHCP proxy could be the culprit here.  In 4.0 it was only a CLI command to enable/disable the proxy feature.  In 5.2, I think, and later it is in the GUI
  as well.
     There is a defect filed against the behavior of the WLC DHCP funtion out there currently.  If all of your DHCP is coming from external resources than you can disable proxy.  If, however, you are using the WLC as DHCP server for guest access, then proxy must be enabled.  If the later is true, you should contact TAC, as there is an engineering special available that has the defect resolution.
  Sorry I can't provide the defect ID, my CCO account is acting up.
  Cheers,
  Steve
  If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

• Dynamic VLAN/SSID assignment w/IPv6

  I have followed the answer in this discussion which instructs on how to get Dynamic VLAN/SSID assignments using WLCs + MS IAS:
  https://supportforums.cisco.com/thread/339396
  This works great for IPv4.  This does not appear to work for IPv6.
  I have CT2504 WLCs running v7.0.116.0 and AP 3502s.  I have a Windows 2003 IAS working for 802.1x authentication using PEAP and per-user/group dynamic VLAN/SSID assignments.  Based on who you authenticate as, you are placed on the appropriate VLAN.
  However, IPv6 does not function properly.  I believe this is due to the nature that the WLC only bridges IPv6 from the Interface Group that the WLAN is assigned to and/or whatever Multicast VLAN you assign.
  If I connect as a user assigned to the same matching VLAN as the WLAN Interface / Multicast VLAN, IPv6 works just fine.  I do not even have to have the "Enable IPv6" box checked in the Advanced tab, nor does the "Multicast Vlan Feature" need to be enabled - IPv6 still works.
  If I connect as a user that is assigned to a different VLAN than the WLAN Interface / Multicast VLAN, I see the IPv6 Router Advertisement from the WLAN Interface / Multicast VLAN, and not the VLAN that "Allow AAA Override" switched me to.  Naturally since I'm getting as IPv6 prefix for a different VLAN, when I try to route traffic through the IPv6 default gateway (which isn't on the VLAN I'm connected to), it doesn't work.
  One work-around to have IPv6 support is to use distinct, non-dynamic per VLAN/SSID assignments.  This is ugly and doesn't scale (16 max SSIDs).
  Has anyone else experienced this and know of a solution?
  For now I'll just have to set the WLAN Interface to a VLAN which does not have IPv6 enabled and my wireless users won't have IPv6 unless they VPN on top of Wifi.  Rather disappointing.

  this sounds alot like another implication of IPv6 with "more than one VLAN on the same SSID".
  see this thread:
  https://supportforums.cisco.com/thread/2157621?tstart=60
  not with dynamic vlan, but vlan select - which, on the L2/L3 on SSID-side is essentially the same.
  as mentioned in the thread, 7.2 has a feature that "automatically sends the correct RA to the correct clients via L2  wireless unicast. By unicasting the RA, clients on the same WLAN, but a  different VLAN, do not receive the incorrect RA."
  lucky for you, 7.2 is available for the 2504 - with my WiSM1s I am out of luck :-(
  so this feature *could* solve this problem, as the problem is that the wrong IPv6-RAs are broadcasted for the client (because the SSID is the same)

• Dynamic vlan assignment does not work

  Hello,
  I have been trying to configure dynamic vlan assignment for the employee wlan. Trying to put the employee on vlan 20
  Here are the components used
  WLC: 2100 Software version: 7.0.240.0
  AP: 3502I    IOS version: 12.4  Mini IOS version: 7.0
  Radius server: tried mutiple radius servers (rsa radius , free radius)
  On the WLC:
  1. Created a AAA server.
  2. Along with management interface(vlan 10), configured dynamic interfaces (vlan 20, vlan 30)
  3. AP manager interface is on vlan 40
  4. Created WLAN assigned to management interface-- WPA2 (AES) , 802.1x
  5. on AAA servers tab - checked authentication servers and assigned the AAA server. authentication priority order is set to only radius
  Here, I have 2 options for radius overwrite.
  one on the AAA servers tab
  second on the Advanced tab
  I have selected both. or one at a time
  Ports between WLC and switch is a trunk
  On the AP:
  1. Local mode
  2. Port between AP and switch switchport access  - vlan 40
  On radius server:
  configured WLC's management interface as client
  and assigned the following attributes
  tunnel-type := vlan
  tunnel-medium-type = ieee-802
  tunnel-private-group-id = 20
  When i try to authenticate with an iphone it is successful. But it puts me on the same interface as management interface (vlan10). When i do the packet capture i do see the access-accept but i dont see the attributes.
  when i use a radius test utility against the radius server I do receive all the attributes.
  Im a newbie on this. Iam i missing something here? any help will be much appreciated.

  Kindly check the following link for reference.
  sample configuration link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
  Trouble shooting link
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• WLC- dynamic Vlan assignment with Radius

  Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
  I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
  It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
  Could you please help me?

  There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• Flexconnect dynamic VLAN assignment doubt

  Hi, all,
  I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows  what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
  1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
  2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
  3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office,  seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
  Thanks,

  Hi ,
  1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
  2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
  3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
  Regards
  Dhiresh
  **Please rate helpful posts**