Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

Similar Messages

• FlexConnect local/central switched and Access-Accept Packets

  For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
  •  Full network access, local switched.
  •  Limited network access, central switched:
  ◦       To isolate traffic from the branch’s LAN.
  ◦       To force traffic through a firewall at the central site.
  ▪       To ease access rules management.
  ◦       Internet access only by default.
  ▪       Internet access is located at the central site.
  ▪       We expect to manage some exceptions to the rule.
  We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
  However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
  Authentication Attributes Honored in Access-Accept Packets (Airespace)
  VAP ID
  This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
  Source:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
  We then made an assumption that the following was possible:
  •  Create a second SSID
  ◦       Broadcast not enabled
  ◦       Central Switched
  •  Users would authenticate using the first SSID
  •  In it’s access-accept packet, the RADIUS server would return an
  Airespace-WLAN-Id attribute with the value of the second SSID.
  •      The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
  So far, our tests showed no results.
  •  Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
  •  If not, what would you recommend?
  For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
  Thank you very much,

  Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value.  AAA attributes can change a users vlan, acl and QoS.  The other attributes are intended to use for rules... example:
  Is the user part of this AD group and is this user on WLAN ID=1.
  You will not be able to go from centrally switched to locally swithed and vice versa.  I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.

• WLC, FlexConnect, ISE: Dynamic VLAN not working

  Hi,
  Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
  Equipment:
  WiSM2 7.2.111.3
  ISE 1.1.1.268
  AP 3502 in FlexConnect
  What I want to achive:
  One SSID, multiple VLAN
  Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
  Problem:
  When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
  WLC config (I know you like images so here you go ):
  I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
  In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
  When the client connects I get three events in ISE:
  1.
  Authentication failed :
  22056 Subject not found in the applicable identity store(s)
  2. Authentication Success. With the results:
  UserName=00:18:DE:A2:BC:3A
  User-Name=00-18-DE-A2-BC-3A
  State=ReauthSession:c20e8b2f0000027e50ed27f8
  Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
  Termination-Action=RADIUS-Request
  Tunnel-Type=(tag=1) VLAN
  Tunnel-Medium-Type=(tag=1) 802
  Tunnel-Private-Group-ID=(tag=1) 158
  cisco-av-pair=profile-name=AX-Intel-Device
  3.
  Dynamic Authorization failed :
  11213 No response received from Network Access Device
  Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
  Regards,
  Philip

  I think you're hitting CSCua58554
  The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
  We had to use a 7.3 ES to resolve it.....
  Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

• Transparent Tunneling and Local Lan Access via VPN Client

  Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
  Mike Bowyer

  Hi Mike,
  "Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
  What do you mean exactly with "disabled once the connection is made" ?
  You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
  Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
  Are any local LAN routes displayed when your are connected ?
  And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
  1: This feature works only on one NIC card, the same NIC card as the tunnel.
  2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
  Carsten
  PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel.

• Radius assign dynamic Vlan and linksys switch

  Hi ,
  I ressently attented to deploid a Radius Authentification with a vlan assigment , i tought it was possible because my switch was 802.1x capable.
  After test , and double check of my configuration i've came to the conclusion that the SRW switch series aren't not influenced by 802.1x vlan options.
  I just wanted to have a feed-back about this ?
  And also , is there a other linksys switch that's capable of allowing vlan this way ?
  Thanks for your reply's 
  Message Edited by tin-tin on 03-26-2009 07:51 AM

  You should post which switch you have exactly. Firmwares within the SRW series varies a lot.
  As far as I know support for RADIUS asssigned VLANs is not compulsory in 802.1x.
  I can tell you that the SRW2008 does not support RADIUS assigned VLANs. So far I have never read of any Linksys switch supporting it but I cannot tell you from first hand experience except for the SRW2008.
  If I need RADIUS assigned VLANs I usually get a Cisco or other brand switch.

• AirPort Extreme 802.11n as a wireless router and local network switch?

  Good afternoon,
  I'm curious if its possible to have the APE in wireless network mode and connect systems via hard line as well?
  I have an AirPort Extreme 802.11n set to "Create a Wireless Network" mode that is attached directly to a cable modem for internet connectevity. My issue is that while all wireless devices (several iPods, two iPhones and three laptop computers) connect to the APE without issue (and have internet access), when I try to plug in a Windows 7 desktop computer via one of the ethernet jacks, Windows is unable to connect and shows the network as "unidentified," spitting back a private IP address as opposed to a local LAN (this behavior repeats for an Ubuntu Linux box as well).
  Not sure if the APE is misconfigured, this is a Windows 7 issue or if its improper use on my part (though this also precludes me from connecting a gigabit switch to the APE).
  Thank you,
  Nathan

  Properly configured, the AirPort should provide both wired and wireless network client with Internet access.
  At this point, I would recommend that you do the following as a minimum:
  Power-down the modem, AirPort base station, and computer(s).
  Power-up the modem; wait at least 10-15 minutes to allow it adequate time to initialize.
  Power-up the AirPort base station; wait at least 5-10 minutes. Note: The AirPort's status light may continue to flash amber after it has intialized. That is because, there may be some additional configuration items necessary, like setting up wireless security, before the overall setup is completed to get a green status.
  Power-up your computer(s).
  If the above steps do not solve the problem, start over with step 1 above, but then perform the next steps between steps 1 & 2. above.
  Disconnect the AirPort base station from the Internet broadband modem.
  While all of the devices are powered-down, perform a "factory default" reset on the base station. This will get it back to its "out-of-the-box" configuration and make setting it up much easier, especially if you use the "Assist me" process within the AirPort Utility. (ref: Resetting an AirPort Base Station or Time Capsule)
  After the base station resets, go ahead and power it back down.
  Reconnect the AirPort base station to the Internet broadband modem. For the Extreme and Time Capsule, be sure to connect the cable to the base station's WAN (circle-of-dots) port.
  Continue with step 2 in the first set of steps.
  In this basic configuration, the AirPort base station will broadcast an unsecured wireless network with a Network Name (SSID) of Apple Network NNNNNN. Network clients, connected to the base station either by wire or wireless, should now be able to access the Internet through the ISP's modem. Once Internet connectivity has been verified, you can use the AirPort Utility to configure the base station for wireless security and any other desired options. Please post back your results.

• Osmf:use both embedded cuepoints and dynamic quepoints and using seek fails,is it possible at all?

  I am tryin to use OSMF to play 4 videos that are divided into scenes using Navigation Cuepoints embedded into the f4v files using Media Encoder.
  I also have a dynamic list of ActionScript cuepoints that is added for subtitling  ( subtitles are done by another company and can't be embedded in the f4v because more subtitles may be added later).
  When I just play a f4v file from the beginning everything works, but when I use seek tot start a different! video on a scene (so start seeking as the video canSeek) the embedded cuepoints never trigger the onCuePoint event.
  The weird thing is that normally the embedded_cuepoints seem to be copied to the DYNAMIC_CUEPOINTS_NAMESPACE !  When trace numMarkers on timeLineData in EMBEDDED_CUEPOINTS_NAMESPACE it only returns cuepoints that have been reached! however numMarkers on timeLineData in DYNAMIC_CUEPOINTS_NAMESPACE  returns the correct number of cuepoints.... but not when I use player.seek then teh DYNAMIC_CUEPOINTS_NAMESPACE return NULL
  (this all happens even without adding teh actionscript cuepoints)
  Can anyone shed some light?
  Regards
  Patrick

  Hi Karan,
  No! You cannot have a Static prompt that is a filtering source for the subsequent dynamic prompts.
  Have a look at Patrick's workaround (and other workarounds) for filtering the prompts based on a Date Range here:
  Dynmaic Cascading Prompts - Populate parameter prompt with only values in date range
  -Abhilash

• Flexconnect dynamic VLAN assignment doubt

  Hi, all,
  I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows  what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
  1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
  2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
  3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office,  seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
  Thanks,

  Hi ,
  1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
  2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
  3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
  Regards
  Dhiresh
  **Please rate helpful posts**

• Locally Switched / Centrally Switched on Flex Connect AP

  Hi All,
  Scenario (is this possible)
  I have HQ Site (Site A) -with the WLC
  I have a remote site (Site B) with one AP.
  Site A has Internet Breakout. Site B doesn't
  Is it possible with this one AP to have Multiple SSIDs, some of which are switched locally at the remote site and some which are switched centrally back at the HQ?
  E.G I want to have SSID for the data vlan at Site B. Any Laptop connecting to this is dropped onto the Data VLAN.
  I also want to have a GUEST SSID for Internet but have this traffic be tunneled back to HQ and use Internet Breakout there.
  Is this possible?
  Thanks

  On the advanced tab of the WLAN you can enable that SSID for FC Local Switching.  The AP then needs to be in Flexconnect mode.  You then go to the FC tab of the AP and define the local VLANs for the locally switched WLANs.  There will be 2 lists of SSIDs, locally switched and centrally switched.  Obviously you don't define VLANs for the centrally switched WLANs.
  Whatever you define on the AP will overwrite the interface on the WLC.
  AP Groups and FC Groups are not needed.

• Confused: Central Switching/Local Switching

  Was wondering if someone could explain local/central switching a little further, when it comes to HREAP/FlexConnect modes for CAPWAP AP's. 
  So in our environment, we're running 7.5.102.0 code on all of our WLC's.  We have a central WLC in two of our regions(US and Europe).  Each region provides internet services for the remote sites connected to it.  So a site in Chicago comes back to our central office over an MPLS for their internet services; just as a site in italy comes back to our central office in the UK for their internet service over MPLS.  These remote sites have AP's that are in FlexConnect mode back to the central WLC's. 
  My question......I understand that an AP in central switching mode tunnels the traffic back to the central controller, whereas local switching does not.  However, what does that mean?  If the WAN link goes down, how does local switching help?  The internet is still down, since that's how the internet is advertised back from the central location.  Does that just mean that local server can be accessed, over wireles, since we are in local switching mode?  Same question for authentciation;  Our AD servers are located at the central sites, with no AD servers at the remote sites.  In local authentication mode, how would an AP register a user, if the MPLS link is down?  Does it download some sort of cached directory for authentication? 
  Thanks for your help!

  Yes, in local switching mode, wireless client traffic locally switched at the branch (you have to defined their SVI on branch switch) and they can access any branch resources whiel WAN link is down. If internet servie is provided by your central office, then they won't get internet services while your WAN link is down.
  If you configured local authentication, yes WLC will pass credential (if WLC has user credential like WAP2-PSK or WEP) to AP where it can use for local authentication. If you are using dot1x with RADIUS & AD, then you should have redundancy  of these services in order to Branch AP to use these in a situation controller is unavailable.
  Following design guide should help you to understand this
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1103070
  Here is some of my notes related to different modes of operation of H-REAP/FlexConnect, that should help you as well
  http://mrncciew.com/2013/03/10/h-reap-modes-of-operation/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• How can address book and local folders stored on JunoInternet program be imported into Thunderbird?

  Have been using Juno for email for years. Juno Internet program on my PC locally stores address book and saved emails in local folders. Want to switch to Thunderbird for emails. Can address book and local folders stored via Juno program be copied to Thunderbird? If so, how, plz.

  If you are installing TB on the same computer as the Juno mail, the installation / start-up process offers the choice to import from another mail program.

• Users VLAN and Management VLAN

  is it possible to separate two VLANs:
  one is running for the users VLAN connects to the clients
  one is for management purpose.
  Is there a sample code available for access points, bridges, and switches?
  I am really appreciated that

  Hi,
  You can configure VLANs on enterprise access points.
  What you need to do is configure the access point with its managment IP address, set this as the native vlan and then add the other VLAN or VLANs.
  Then on the switch that the access point is connected to you need to configure a trunk port and make sure that the native vlan is the same VLAN you set as native on the access point.
  As an example if the Access point has an IP address for managment vlan 20, we set this VLAN as native and then we add the other VLAN or VLANs, and on the switch you configure the port as a trunk port with the same native VLAN 20.
  Note, native vlan is the same as untagged vlan. When we confgure a trunk port this will tag all vlans except the native vlan or untagged vlan that needs to be the same between directly connected devices.

• Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

  Hello Experts
  We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
  My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
  Questions:
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Thanks.

  Hi
  The LAN subnet is same for both Buildings connected via a dark fiber.
  If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
  Anyway if you want to do this & here is the answer for your specific queries.
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
  This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
  BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
  HTH
  Rasika
  **** Pls rate all useful responses ****

• FlexConnect VLAN Central Switching and guest WEB Auth

  Hi,
  I have a senario where all my AP's are flexconnect AP's, that is because og WVoIP.
  In most loacation I have a local intenet connection for guests, and beacuse of that the Guest SSID is locally sitched.
  I have a few small locations that do not have a local subnet for guests and on those locations I would like to centrally switch the guest trafic.
  I was looking at FlexConnect VLAN Central Switching to solve my problem, but as far as I can see this only works with 802.1x SSID's and aaa override.
  Is there no way to do FlexConnect VLAN Central Switching on SSID's with WEB auth or PSK?
  Hope some one can answer me.
  Thanks
  Aksel

  So create a new WLAN, the WLAN profile will be different that the original guest WLAN and assign it a WLAN ID of 16 or higher. This new WLAN will have the same setting as the original guest SSID except that local switching is not enabled.
  You now need to create AP Groups so you can specify site with local guest vlan's will use the original SSID and the sites with no guest local clan will use the new SSID you created.
  Here is a doc regarding AP Groups
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  Sent from Cisco Technical Support iPhone App

• FlexConnect, EAP-TLS and dynamic VLAN assignments

  I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
  I have some questions:
  - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
  - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
  - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
  Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

  I'll give this a shot:)
  For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
  The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
  64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
  You can find this by searching on Google.... A lot of examples out there
  v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
  Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
  FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
  Hope this helps.
  Sent from Cisco Technical Support iPhone App