ISE - WLC 7.2 VLAN assignment

Similar Messages

• Cisco av-pairs SSID vs Dynamic Vlan Assignment

  Hello,
  Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
  If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
  Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
  So the question is if a working alternative to SSID av-pairs exists.
  Thanks.     

  To be honest, I have never heard of this SSID av-pair ever working in wireless:)
  You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  
  You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  
  -Scott

• ISE and WLC dynamic interface group assignment ?

  I have a somewhat large deployment coming up with several WLC dynamic interfaces assigned to an interface group, replicated across for multiple sites.  I understand that ISE can return the VLAN ID to the WLC to place the client in, but if I'm using interface groups, this seems to negate the usefulness of the interface group to load clients across multiple VLANs.  Not only that, but with the number of dynamic interfaces (VLAN ID's), multiplied by the number of sites, would seem to be overwhelming on the ISE side policy configuration.
  Is it possible for ISE to return an Interface name/group to the WLC instead of just a VLAN ID ?
  TIA

  I understand that WLC 7.2 code can now accept the interface group name as a AAA override, which is great, but it doesn't specify the AAA source (ISE vs. ACS).
  This is the example I'm questioning: (they use the VLAN ID only, instead of an interface name)
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic17
  Edit:
  Found the correct Attribute Under "Adv. Attribute Settings" in the Airspace Authorization Profiles (Airespace:Airespace-Interface-Name).

• WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

  WLC 5508: software version 7.0.98.0
  Windows 7 Client
  Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
  I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
  However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
  AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
  AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
  AVP: l=6  t=Tunnel-Type(64): VLAN(13)
  I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

  Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
  The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
  Install Packages
  1.  Install needed packages.
  yum install openldap*
  yum install freeradius*
  2.  Set the services to automatically start of system startup
  chkconfig --level 2345 slapd on
  chkconfig --level 2345 radiusd on
  Configure and start LDAP
  1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
  cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
  2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
  slappasswd
  3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
  useradd ldap
  groupadd ldap
  4.  Create the directory and assign permissions for the database files
  mkdir /var/lib/ldap
  chmod 700 /var/lib/ldap
  chown ldap:ldap /var/lib/ldap
  5.  Edit the slapd.conf file.
  cd /etc/openldap
  vi slapd.conf
  # See slapd.conf(5) for details on configuration options.
  # This file should NOT be world readable.
  #Default needed schemas
  include        /etc/openldap/schema/corba.schema
  include        /etc/openldap/schema/core.schema
  include        /etc/openldap/schema/cosine.schema
  include        /etc/openldap/schema/duaconf.schema
  include        /etc/openldap/schema/dyngroup.schema
  include        /etc/openldap/schema/inetorgperson.schema
  include        /etc/openldap/schema/java.schema
  include        /etc/openldap/schema/misc.schema
  include        /etc/openldap/schema/nis.schema
  include        /etc/openldap/schema/openldap.schema
  include        /etc/openldap/schema/ppolicy.schema
  include        /etc/openldap/schema/collective.schema
  #Radius include
  include        /etc/openldap/schema/radius.schema
  #Samba include
  #include        /etc/openldap/schema/samba.schema
  # Allow LDAPv2 client connections.  This is NOT the default.
  allow bind_v2
  # Do not enable referrals until AFTER you have a working directory
  # service AND an understanding of referrals.
  #referral    ldap://root.openldap.org
  pidfile        /var/run/openldap/slapd.pid
  argsfile    /var/run/openldap/slapd.args
  # ldbm and/or bdb database definitions
  #Use the berkely database
  database    bdb
  #dn suffix, domain components read in order
  suffix        "dc=cisco,dc=com"
  checkpoint    1024 15
  #root container node defined
  rootdn        "cn=Manager,dc=cisco,dc=com"
  # Cleartext passwords, especially for the rootdn, should
  # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
  # Use of strong authentication encouraged.
  # rootpw        secret
  rootpw      
  {SSHA}
  cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
  # The database directory MUST exist prior to running slapd AND
  # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
  # Mode 700 recommended.
  directory    /var/lib/ldap
  # Indices to maintain for this database
  index objectClass                       eq,pres
  index uid,memberUid                     eq,pres,sub
  # enable monitoring
  database monitor
  # allow onlu rootdn to read the monitor
  access to *
           by dn.exact="cn=Manager,dc=cisco,dc=com" read
           by * none
  6.  Remove the slapd.d directory
  cd /etc/openldap
  rm -rf slapd.d
  7.  Hopefully if everything is correct, should be able to start up slapd with no problem
  service slapd start
  8.  Create the initial database in a text file called /tmp/initial.ldif
  dn: dc=cisco,dc=com
  objectClass: dcobject
  objectClass: organization
  o: cisco
  dc: cisco
  dn: ou=people,dc=cisco,dc=com
  objectClass: organizationalunit
  ou: people
  description: people
  dn: uid=jonatstr,ou=people,dc=cisco,dc=com
  objectClass: top
  objectClass: radiusprofile
  objectClass: inetOrgPerson
  cn: jonatstr
  sn: jonatstr
  uid: jonatstr
  description: user Jonathan Strickland
  radiusTunnelType: VLAN
  radiusTunnelMediumType: 802
  radiusTunnelPrivateGroupId: 10
  userPassword: ggsg
  9.  Add the file to the database
  ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
  10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
  ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
  Configure and Start FreeRadius
  1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
  cd /etc/raddb
  vi ldap.attrmap
  For dynamic vlan assignments, verify the follow lines exist:
  replyItem    Tunnel-Type                                   radiusTunnelType
  replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
  replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
  Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
  checkItem    Cleartext-Password    userPassword
  2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
  eap
  {      default_eap_type = peap      .....  }
  tls {
      #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
  peap {
      default_eap_type = mschapv2
      #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
      use_tunneled_reply = yes
  3.  Change the authenication and authorization modules and order.
  cd /etc/raddb/sites-enabled
  vi default
  For the authorize section, uncomment the ldap module.
  For the authenicate section, uncomment the ldap module
  vi inner-tunnel
  Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
  authorize
  {      ldap      mschap      ......  }
  4.  Configure ldap module
  cd /etc/raddb/modules
  ldap
  {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
  5.  Start up radius in debug mode on another console
  radiusd -X
  6.  radtest localhost 12 testing123
  You should get a Access-Accept back
  7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
  First install openssl support libraries, required to compile
  yum install openssl*
  yum install gcc
  wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
  tar xvf wpa_supplicant-0.6.10.tar.gz
  cd wpa_supplicant-0.6.10/wpa_supplicant
  vi defconfig
  Uncomment CONFIG_EAPOL_TEST = y and save/exit
  cp defconfig .config
  make eapol_test
  cp eapol_test /usr/local/bin
  chmod 755 /usr/local/bin/eapol_test
  8.  Create a test config file named eapol_test.conf.peap
  network=
  {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
  9.  Run the test
  eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• WLC- dynamic Vlan assignment with Radius

  Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
  I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
  It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
  Could you please help me?

  There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• Mobility Anchor and AAA Overide VLAN Assignment

  Hello,
  I read some document 2 years ago that dynamic VLAN assignment was not possible with Anchored WLANs. Please I would like to know if this is now possible. The network setup would be as follows:
  1. Foreign and Anchor WLC (5508) with single SSID for both guest and internal users
  2. Cisco ISE 1.2 performing AAA override with VLAN tag based on AD group. Guest will go to VLAN for guest after web authentication.
  Please a speedy response would be helpful.

  Hi grabonlee,
  We have been running an anchor with VLAN override for out Guest services. Works well. VLAN needs to be defined on both the anchor and foreign. We are running 7.6.120 code.

• ISE, WLC Device Profiling

  Hi, I hope someone can provide some advice/assistance. I am currently trialling ISE 1.1.1 on VM with a Cisco 5500 WLC 7.2.110.0. I have configured this setup so clients authenticate to the WLC via 802.1x and use the ISE as a AAA Server. I have setup this configuration so VLAN ID's can be pushed to clients based on their login credentials(from AD), this all works fine. I'd like to take this on a step further and differentiate users and their devices based on their device type, iPhone, iPad etc. I have enabled DHCP profiling on the WLC. I only seem to be able to identify a device based on their DHCP hostname, should it contain iPhone etc, is there another way I can get more information from the clients or their initial 802.1x communication? I want to use 802.1x as given the nature of the users connecting the VLAN push based on credentials is key to my possible deployment.
  My second query is relating to VLAN pushing on a Flex Auth AP. I've got a remote site with some AP's, it is over a L3 connection. I have my WAP at this site registered to the WLC. Over my sites I have standard VLAN numbers and IP address ranges, site 1 is x.1.a.x, x.1.b.x etc, site 2 is x.2.a.x, x.2.b.x etc. What I would ideally like to do is push VLAN's to the Flex Auth WAP's so that users in site 2 get a site 2 IP address and can use local switching for printing and other local activities. Is this supported? I know it wasn't in H-REAP when I trialled ISE/WLC 4400 last year. I tried to configure this and it looks like users always get IP addresses from site 1.
  Thanks for any advice/assistance.
  Kenny.

  Kenny,
  For the first part of your question there is no more information you can get outside of the dhcp hostname (which will get you the info you are looking for) and the mac address (which only gets you to the Apple Device policy). If you do not want to perform any redirection, then your best bet is to use a span to span all the traffic over to the ISE node in order to span the http traffic in order to profile the devices using the http user agent string.
  As far as your 2nd question- the flex auth aps do not support COA and arent a "supported network access device" from Cisco's webpage.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
  However the APs do support dynamic vlan assignment. So once an endpoint connects to these APs you can set them on the vlan once, however if you are performing posturing and need coa to place them in another rule once a decision has been made then this is where the deployment will break.
  http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• Is dynamic VLAN assignment supported with web-authentication?

  The 7.6.130.0 WLC configuration guides says this:
  "Dynamic VLAN assignment is not supported for web authentication from a controller with Access Control Server (ACS)"
  How should we interpret this, exactly? Does this mean that dynamic VLAN assignment is supported with web authentication from a controller if some other RADIUS server is used (Eg: FreeRadius, ISE)?

  It is not supported with any kind of radius server. The radius attributes ACS uses for pushing those settings (64,65,81) are the same for every other radius implementation. Pushing a QoS profile does work.

• ISE WLC Integration issues

  We are in the process of integrating ISE into our WLC and are planning on implementing HReap (Flexconnect) local switching.  We have setup the ISE server as a Radius entry in the WLC and added WLC to ISE, same shared secret.  We have a test SSID configured on the WLC and it is using the entry to ISE for AAA.  We have used "none" for layer 2 security as well as WPA.......but we never see any activity on the ISE server.  Also from the WLC if we do a show radius auth stat there doesn't appear to be any traffic sent from the WLC to ISE.
  (Cisco Controller) >show radius auth sta
  Authentication Servers:
  <Output Ommited>
  Server Index..................................... 4
  Server Address................................... IP ADDRESS OF ISE
  Msg Round Trip Time.............................. 0 (msec)
  First Requests................................... 0
  Retry Requests................................... 0
  Accept Responses................................. 0
  Reject Responses................................. 0
  Challenge Responses.............................. 0
  Malformed Msgs................................... 0
  Bad Authenticator Msgs........................... 0
  Pending Requests................................. 0
  Timeout Requests................................. 0
  Unknowntype Msgs................................. 0
  Other Drops...................................... 0
  We have integrated ISE with swtich and ASA and have always been able to get some activity on the ISE authentication monitor.
  Thanks,
  Joe

  Wireless will not do dACLs with or without FlexConnect.  In centrally switched networks you can use Named ACLs which are differnt than dACLs.  
  But you are correct with FlexConnect (pre-7.5*) you can use FlexConnect ACLs tied to the VLAN.  Then you can use ISE to set the VLAN.
  *As of 7.5 version of code you can now user named ACLs on Locally Switched users, but it is still a named ACL and not a dACL.
  From the release notes
  In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.
  In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.
  There are some other limitations when using FlexConnect that you should be aware about.
  This guide will show you how to use Centrally Authenticated with Locally Switched
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml
  This document will show you the feature matrix for ISE and FlexConnect
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml
  If you are using Active Directory I would recommend against using LDAP because there are more features when using the native AD integration.  If you not using AD then the issue with the Secure LDAP is probably related to the CA certificate not being installed correctly. 

• ISE & WLC

  Quick question:
  If I deploy ISE+WLC and wlc is in HREAP / Flexconnect mode, the Access-Lists do not work, how am I supposed to posture clients at remote locations?
  [cuz I was gonna put an ACL to block everything but dns/etc untill they get pastured)
  Can I change VLAN as per user/device once they hit the AP? I am always talking about remote locations?

  Tarik,
  First thanks for your prompt reply, I haven't deployed it yet but here is what I my plans are:
  Software Version                 7.0.220.0, ISE 1.1.1, AP 3500, with local switching (it's called flexconnect now, HREAP legacy whatever)
  No DACL, Redirect ACLs defined in the controller and in ISE I plan to use AIRSPACE ACL attribute (I've labbed this - but not in flexconnect) ---> This is all for pasturing.
  If there is any other way of doing this (having clients denied any access and redirected to posture url) would be great.
  Here is a cisco HREAP/FlexConnect Limitation.
  Other H REAP Limitations
  If you have configured a locally switched WLAN, then Access Control  Lists (ACLs) do not work and are not supported. On a centrally switched  WLAN, ACLs are supported.
  Now, CoA is also a concern - if I have an AP<====TRUNK====>SWITCH----vlan/2/3/4, I want to be able to swap clients to different VLAN based on their user/device they are connecting, I am not sure if this will work on HREAP/Flexconnect mode and there is a slight change on the wording in the authorization policiy attribute in ISE 1.1.x, before it used to be just the vlan u want to set the clients to, now it has TAG ID which i am not sure what it is.
  Thanks for your help, I hope my question is clear.

• Dynamic VLAN Assignment + NPS

  Hello,
  I'm planning a deployment with the following:
  5508 WLC running 7.0.222.0
  NCS 1.0.2.29
  50+ 3502i AP's
  Windows 2008 R2 running NPS
  EAP-TLS for authentication
  The end goal is to have a single SSID and utilize NPS to dynamically assign VLAN's depending on role/group.
  I've read several documents that use ACS to complete the dynamic VLAN assignment (inclduing http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml), however in this case ACS is not available.
  My question basically is; do I need ACS to apply the VSA for Cisco Airespace, or can this be done solely with the following IETF attributes using Microsoft NPS and AAA override on the WLC?
  [64] Tunnel-Type
  [65] Tunnel-Medium-Type
  [81] Tunnel-Pvt-Group-ID
  Any advice would be greatly appreicated!
  Thanks

  Thanks Steve for your quick response.
  I did everything as per your recommendation and it still doesnt work.
  Do you mind providing me a remote assistance, do you have Skype?
  Or your prefer that I provide you a set of logs, tell me which one and I will do so.
  SSID:TT
  @IP WLC: 172.20.252.70
  NPS: 172.20.1.16
  config rule NPS: service-Type: NAS Prompt
                           Tunnel-Type: VLAN
                           Tunnel-pvt-group-ID:10
                           Tunnel-Meduim-Type:802
  log WLC:
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processIncomingMessages: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processRadiusResponse: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Access-Accept received from RADIUS server 172.20.1.16 for mobile 8c:70:5a:1c:8e:20 receiveId = 4
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Processing Access-Accept for mobile 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Applying new AAA override for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Inserting new RADIUS override into chain for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Applying override policy from source Override Summation:
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 256, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Setting re-auth timeout to 1800 seconds, got from WLAN config.
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Station 8c:70:5a:1c:8e:20 setting dot1x reauth timeout = 1800
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Creating a PKC PMKID Cache entry for station 8c:70:5a:1c:8e:20 (RSN 2)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Adding BSSID 00:1e:be:a7:bf:b6 to PMKID cache for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: New PMKID: (16)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844:      [0000] 80 36

• Dynamic vlan assignment does not work

  Hello,
  I have been trying to configure dynamic vlan assignment for the employee wlan. Trying to put the employee on vlan 20
  Here are the components used
  WLC: 2100 Software version: 7.0.240.0
  AP: 3502I    IOS version: 12.4  Mini IOS version: 7.0
  Radius server: tried mutiple radius servers (rsa radius , free radius)
  On the WLC:
  1. Created a AAA server.
  2. Along with management interface(vlan 10), configured dynamic interfaces (vlan 20, vlan 30)
  3. AP manager interface is on vlan 40
  4. Created WLAN assigned to management interface-- WPA2 (AES) , 802.1x
  5. on AAA servers tab - checked authentication servers and assigned the AAA server. authentication priority order is set to only radius
  Here, I have 2 options for radius overwrite.
  one on the AAA servers tab
  second on the Advanced tab
  I have selected both. or one at a time
  Ports between WLC and switch is a trunk
  On the AP:
  1. Local mode
  2. Port between AP and switch switchport access  - vlan 40
  On radius server:
  configured WLC's management interface as client
  and assigned the following attributes
  tunnel-type := vlan
  tunnel-medium-type = ieee-802
  tunnel-private-group-id = 20
  When i try to authenticate with an iphone it is successful. But it puts me on the same interface as management interface (vlan10). When i do the packet capture i do see the access-accept but i dont see the attributes.
  when i use a radius test utility against the radius server I do receive all the attributes.
  Im a newbie on this. Iam i missing something here? any help will be much appreciated.

  Kindly check the following link for reference.
  sample configuration link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
  Trouble shooting link
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

• Flexconnect dynamic VLAN assignment doubt

  Hi, all,
  I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows  what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
  1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
  2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
  3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office,  seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
  Thanks,

  Hi ,
  1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
  2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
  3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
  Regards
  Dhiresh
  **Please rate helpful posts**

• VLAN assignment from ACS not applied

  WLC 4402 5.2.157.0
  ACS Express 5.0.0.18
  We have an issue where the VLAN assigned on the ACS isn't applied on the 4402 WLC.
  We have 'Allow AAA Override' checked on the WLAN, the QoS is overridden to bronze properly, but the VLAN stays at 0 and the interface at management. The VLAN interface is configured on the WLC.
  On the ACS the following are configured for the RADIUS response:
  Radius-IETF Tunnel-Medium-Type 802
  Radius-IETF Tunnel-Type VLAN
  Radius-IETF Tunnel-Private-Group-ID 44
  Cisco Airespace Airespace-QoS-Level Bronze
  The accounting log shows:
  Wed, 04 Feb 2009 09:50:02
  User-Name = guest
  NAS-IP-Address = 10.30.1.2
  NAS-Port = 1
  Framed-IP-Address = 10.30.1.12
  Called-Station-Id = 10.30.1.2
  Calling-Station-Id = 10.30.1.12
  NAS-Identifier = Cisco4402WLC
  Acct-Status-Type = Start
  Acct-Session-Id = 4989b927/00:1a:73:ed:bf:ca/2
  Acct-Authentic = RADIUS
  Airespace-WLAN-Id = 2
  Thanks for any help or advice you can provide to troubleshoot this issue.
  -Brian

  From the Clients -> Details screen on the WLC...
  CLIENT PROPERTIES
  MAC Address 00:1a:73:ed:bf:ca
  IP Address 10.30.1.12
  Client Type Regular
  User Name guest
  Port Number 1
  Interface management
  VLAN ID 0
  CCX Version CCXv4
  E2E Version Not Supported
  Mobility Role Local
  Mobility Peer IP Address N/A
  Policy Manager State RUN
  Mirror Mode Disable
  Management Frame Protection No
  SECURITY INFORMATION
  Security Policy Completed Yes
  Policy Type N/A
  Encryption Cipher None
  EAP Type N/A
  NAC State Access
  QUALITY OF SERVICE PROPERTIES
  WMM State Enabled
  U-APSD Support Disabled
  QoS Level Bronze
  Diff Serv Code Point (DSCP) disabled
  802.1p Tag disabled
  Average Data Rate disabled
  Average Real-Time Rate disabled
  Burst Data Rate disabled
  Burst Real-Time Rate disabled