Dynamic vlan
I am thinking of configuring a dynamic vlan for some of the devices on our LAN. Can you share with me your experience with dynamic vlans? Thank you.
you should use dynamic vlans, aka VMPS when you require or want specific MAC addresses to be able to connect to the switch; and when you don't want unknown MAC addresses connecting to the switch.
if you have no need to monitor/maintain what MAC addresses connect to your switch, then VMPS will not be required and will only provide additional administration overhead.
if you do need/want VMPS, please see this link for VMPS configuration and design:
http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008012238d.html
Similar Messages
-
Hello ladies and gentlemen,
I am using several SG300-28 Switches with firmware version 1.1.2.0.
I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
Authentication is only based on the MAC address. (I configured that on the switches)
On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
This is happening randomly on nearly all my PCs.
I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
Thank you very much for your help!
Regrads
Alexander WilkeThis is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
2147483395
2012-Aug-09 21:40:05
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483396
2012-Aug-09 21:38:23
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483397
2012-Aug-09 21:38:23
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483398
2012-Aug-09 21:16:05
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483399
2012-Aug-09 21:13:42
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483400
2012-Aug-09 21:13:42
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483401
2012-Aug-09 21:04:04
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483402
2012-Aug-09 21:03:50
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483403
2012-Aug-09 21:03:50
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483404
2012-Aug-09 20:52:02
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483405
2012-Aug-09 20:49:02
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483406
2012-Aug-09 20:49:02
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483407
2012-Aug-09 20:40:04
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483408
2012-Aug-09 20:39:10
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483409
2012-Aug-09 20:39:10
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483410
2012-Aug-09 20:16:06
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483411
2012-Aug-09 20:14:29
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483412
2012-Aug-09 20:14:29
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483413
2012-Aug-09 19:28:01
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483414
2012-Aug-09 19:25:08
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483415
2012-Aug-09 19:25:08
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483416
2012-Aug-09 19:15:59
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483417
2012-Aug-09 19:15:16
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483418
2012-Aug-09 19:15:16
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483419
2012-Aug-09 19:04:00
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483420
2012-Aug-09 19:00:27
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483421
2012-Aug-09 19:00:27
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483422
2012-Aug-09 18:27:59
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483423
2012-Aug-09 18:25:55
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483424
2012-Aug-09 18:25:55
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
Any ideas ? -
WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment
WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation. This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem Cleartext-Password userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{ default_eap_type = peap ..... }
tls {
#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
default_eap_type = mschapv2
#you will have to set this to allowed the inner tls tunnel attributes into the final accept message
use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{ ldap mschap ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" \#If you want to verify the Server certificate the below would be needed \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123 -
Dynamic VLAN assignments with ACS
Hello all.
I am trying to do dynamic vlan assignments with dot1x auth. I am using ACS5.3 and Cisco 3560.
I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
When the user connects I get the following via debug:
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
Any idea what config I'm missing?
Thanks
PaulHello.
Here is whats left in the log.
Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.253: EAPOL pak dump rx
Apr 30 15:19:36.253: EAPOL Version: 0x1 type: 0x0 length: 0x007B
Apr 30 15:19:36.253: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.007b
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.278: EAPOL pak dump rx
Apr 30 15:19:36.278: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.278: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.294: EAPOL pak dump rx
Apr 30 15:19:36.294: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.294: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
Hope that helps -
Dynamic VLAN, should or should not?
Hi everyone,
My company have 1 Core Switch 6509, this core SW aggregate all access switch.
On the Core SW, I've configuration static IP such as: # arp IP_address MAC_address rarp
However, when the client move from access switch to another access switch, i must to change Vlan in access port.
It's very manually.
To improve the management, I think Dynamic VLAN.
But this solution require all access switch support VMPS, but all access switches in the network system's not support.
To implement this solution, it's require a large investments to purchase the new device.
Can any one advice me a suitable solution.
Thanks in advance!
HoiVNKindly check the following link for reference.
sample configuration link
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
Trouble shooting link
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html -
FlexConnect, EAP-TLS and dynamic VLAN assignments
I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
I have some questions:
- What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
- I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
- I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. ThanksI'll give this a shot:)
For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
64 (Tunnel-Type) should be set to VLAN (Integer = 13)
65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
You can find this by searching on Google.... A lot of examples out there
v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
Hope this helps.
Sent from Cisco Technical Support iPhone App -
Dynamic VLAN on Access Point using RADIUS
Hi.
I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
I have configured the attributes on radius as per documentation;
* IETF 64 (Tunnel Type)—Set this to VLAN.
* IETF 65 (Tunnel Medium Type)—Set this to 802.
* IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
Each time I connect the VLAN just defaults to the native VLAN for the SSID
I think it may be impossible without WLC!
HELP!!From what I found when using MBSSID it appears you cannot use dynamic VLANs.
However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work. -
Dynamic VLAN/SSID assignment using 4402/MS IAS
Greetings,
In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
Any input/information would be greatly appreciated.
JoeShaun,
My LAG - etherchannel interface
interface Port-channel8
description WLC-portchannel
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
end
My 2 WLC Fiber ports:
Current configuration : 382 bytes
interface GigabitEthernet7/47
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
2200-3A#sh run int g7/48
Building configuration...
Current configuration : 382 bytes
interface GigabitEthernet7/48
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
interface FastEthernet4/48
description AP-PoE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-1004
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
end
Jim -
Dynamic VLAN Assignment + NPS
Hello,
I'm planning a deployment with the following:
5508 WLC running 7.0.222.0
NCS 1.0.2.29
50+ 3502i AP's
Windows 2008 R2 running NPS
EAP-TLS for authentication
The end goal is to have a single SSID and utilize NPS to dynamically assign VLAN's depending on role/group.
I've read several documents that use ACS to complete the dynamic VLAN assignment (inclduing http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml), however in this case ACS is not available.
My question basically is; do I need ACS to apply the VSA for Cisco Airespace, or can this be done solely with the following IETF attributes using Microsoft NPS and AAA override on the WLC?
[64] Tunnel-Type
[65] Tunnel-Medium-Type
[81] Tunnel-Pvt-Group-ID
Any advice would be greatly appreicated!
ThanksThanks Steve for your quick response.
I did everything as per your recommendation and it still doesnt work.
Do you mind providing me a remote assistance, do you have Skype?
Or your prefer that I provide you a set of logs, tell me which one and I will do so.
SSID:TT
@IP WLC: 172.20.252.70
NPS: 172.20.1.16
config rule NPS: service-Type: NAS Prompt
Tunnel-Type: VLAN
Tunnel-pvt-group-ID:10
Tunnel-Meduim-Type:802
log WLC:
*radiusTransportThread: Sep 19 12:32:47.841: ****Enter processIncomingMessages: response code=2
*radiusTransportThread: Sep 19 12:32:47.841: ****Enter processRadiusResponse: response code=2
*radiusTransportThread: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Access-Accept received from RADIUS server 172.20.1.16 for mobile 8c:70:5a:1c:8e:20 receiveId = 4
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Processing Access-Accept for mobile 8c:70:5a:1c:8e:20
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Applying new AAA override for station 8c:70:5a:1c:8e:20
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
source: 4, valid bits: 0x200
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: 'dy-data-ksb1', aclName: ''
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Inserting new RADIUS override into chain for station 8c:70:5a:1c:8e:20
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
source: 4, valid bits: 0x200
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: 'dy-data-ksb1', aclName: ''
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Applying override policy from source Override Summation:
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
source: 256, valid bits: 0x200
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: 'dy-data-ksb1', aclName: ''
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Station 8c:70:5a:1c:8e:20 setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Creating a PKC PMKID Cache entry for station 8c:70:5a:1c:8e:20 (RSN 2)
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Adding BSSID 00:1e:be:a7:bf:b6 to PMKID cache for station 8c:70:5a:1c:8e:20
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: [0000] 80 36 -
Dynamic VLAN assignment on SG300
Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
The RADIUS user attributes used for the VLAN ID assignment are:
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
Radius:IETF:Tunnel-Medium-Type 6
Radius:IETF:Tunnel-Private-Group-Id 4
Radius:IETF:Tunnel-Type 13
is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
Thanks,
AaronHi Aleksandra,
Here are the values from a packet capture of the Access-Accept message: -
Dynamic VLAN assignment and DHCP
Hello
I have just upgraded our WLC from 4.0 to 7.0 (via 4.2).
Before the upgrade we had our ACS returning a VLAN based on user group. This seemed to be working without an issue. Now that the WLC is on version 7 this is no longer working correctly. The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
Example configuration:
SSID-----VLAN
PN-CSC-----CSCVlan: Works
PN-Others------OthersVlan: Works
PN-Others-----CSCVlan: No DHCP
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?Yes, DHCP proxy could be the culprit here. In 4.0 it was only a CLI command to enable/disable the proxy feature. In 5.2, I think, and later it is in the GUI
as well.
There is a defect filed against the behavior of the WLC DHCP funtion out there currently. If all of your DHCP is coming from external resources than you can disable proxy. If, however, you are using the WLC as DHCP server for guest access, then proxy must be enabled. If the later is true, you should contact TAC, as there is an engineering special available that has the defect resolution.
Sorry I can't provide the defect ID, my CCO account is acting up.
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Dynamic VLAN/SSID assignment w/IPv6
I have followed the answer in this discussion which instructs on how to get Dynamic VLAN/SSID assignments using WLCs + MS IAS:
https://supportforums.cisco.com/thread/339396
This works great for IPv4. This does not appear to work for IPv6.
I have CT2504 WLCs running v7.0.116.0 and AP 3502s. I have a Windows 2003 IAS working for 802.1x authentication using PEAP and per-user/group dynamic VLAN/SSID assignments. Based on who you authenticate as, you are placed on the appropriate VLAN.
However, IPv6 does not function properly. I believe this is due to the nature that the WLC only bridges IPv6 from the Interface Group that the WLAN is assigned to and/or whatever Multicast VLAN you assign.
If I connect as a user assigned to the same matching VLAN as the WLAN Interface / Multicast VLAN, IPv6 works just fine. I do not even have to have the "Enable IPv6" box checked in the Advanced tab, nor does the "Multicast Vlan Feature" need to be enabled - IPv6 still works.
If I connect as a user that is assigned to a different VLAN than the WLAN Interface / Multicast VLAN, I see the IPv6 Router Advertisement from the WLAN Interface / Multicast VLAN, and not the VLAN that "Allow AAA Override" switched me to. Naturally since I'm getting as IPv6 prefix for a different VLAN, when I try to route traffic through the IPv6 default gateway (which isn't on the VLAN I'm connected to), it doesn't work.
One work-around to have IPv6 support is to use distinct, non-dynamic per VLAN/SSID assignments. This is ugly and doesn't scale (16 max SSIDs).
Has anyone else experienced this and know of a solution?
For now I'll just have to set the WLAN Interface to a VLAN which does not have IPv6 enabled and my wireless users won't have IPv6 unless they VPN on top of Wifi. Rather disappointing.this sounds alot like another implication of IPv6 with "more than one VLAN on the same SSID".
see this thread:
https://supportforums.cisco.com/thread/2157621?tstart=60
not with dynamic vlan, but vlan select - which, on the L2/L3 on SSID-side is essentially the same.
as mentioned in the thread, 7.2 has a feature that "automatically sends the correct RA to the correct clients via L2 wireless unicast. By unicasting the RA, clients on the same WLAN, but a different VLAN, do not receive the incorrect RA."
lucky for you, 7.2 is available for the 2504 - with my WiSM1s I am out of luck :-(
so this feature *could* solve this problem, as the problem is that the wrong IPv6-RAs are broadcasted for the client (because the SSID is the same) -
Dynamic vlan assignment does not work
Hello,
I have been trying to configure dynamic vlan assignment for the employee wlan. Trying to put the employee on vlan 20
Here are the components used
WLC: 2100 Software version: 7.0.240.0
AP: 3502I IOS version: 12.4 Mini IOS version: 7.0
Radius server: tried mutiple radius servers (rsa radius , free radius)
On the WLC:
1. Created a AAA server.
2. Along with management interface(vlan 10), configured dynamic interfaces (vlan 20, vlan 30)
3. AP manager interface is on vlan 40
4. Created WLAN assigned to management interface-- WPA2 (AES) , 802.1x
5. on AAA servers tab - checked authentication servers and assigned the AAA server. authentication priority order is set to only radius
Here, I have 2 options for radius overwrite.
one on the AAA servers tab
second on the Advanced tab
I have selected both. or one at a time
Ports between WLC and switch is a trunk
On the AP:
1. Local mode
2. Port between AP and switch switchport access - vlan 40
On radius server:
configured WLC's management interface as client
and assigned the following attributes
tunnel-type := vlan
tunnel-medium-type = ieee-802
tunnel-private-group-id = 20
When i try to authenticate with an iphone it is successful. But it puts me on the same interface as management interface (vlan10). When i do the packet capture i do see the access-accept but i dont see the attributes.
when i use a radius test utility against the radius server I do receive all the attributes.
Im a newbie on this. Iam i missing something here? any help will be much appreciated.Kindly check the following link for reference.
sample configuration link
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
Trouble shooting link
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html -
Dynamic VLAN assignment with WLC and ACS for
Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
dot11 vlan-name STUDENT vlan 2903
dot11 vlan-name FACSTAF vlan 2905
As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this? -
WLC- dynamic Vlan assignment with Radius
Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
Could you please help me?There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
-
Flexconnect dynamic VLAN assignment doubt
Hi, all,
I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office, seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
Thanks,Hi ,
1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
Regards
Dhiresh
**Please rate helpful posts**
Maybe you are looking for
-
Upgrade from 8.2 to 9.0 - buttons missing to submit form
Hello everyone, We have upgraded to LiveCycle ES2 from LiveCycle ES. When we open the tasks via Workspace ES2, the buttons are missing to submit form. Buttons which should be there because "User must select a route to complete this task" option is se
-
How to find number of characters in a character string
Hi, Can anyone please tell me about how to find the number of characters in a character string type variable. Reagards, Siva
-
Hello, I have designed a form in Livecycle designer in which I am calling web service of coldfusion using javascript, passing a xml file as parameter, so here is the code but not working. But I want to ask that is this the currect way of calling web
-
Can an imported object be used as a keynote mask?
If i create a (lets say) star outline in illustrator, is there a way to select it and import an image to it? alan
-
Sales/Trend Reports?
Maybe sales of my niche application has hit the wall (or there is suddenly more competition), but in the last two days my daily sales numbers have suddenly dropped to about a fifth of what they have been since July 11th. And there have been NO intern