PPPoX Virtual-Template assignment via Radius Attribute

Similar Messages

• NAC 802.1x: VLAN assignment via RADIUS

  I'm deploy a 802.1x NAC solution. Users authenticate ok but the VLAN is not assigned to the port.
  The RADIUS server send the attributes to the NAD (switch 3560). I see the following lines in the radius debug output:
  02:49:08: RADIUS: Received from id 1645/4 192.168.1.1:1645, Access-Accept, len 267
  02:49:08: RADIUS: authenticator AB 90 94 95 D0 86 04 E5 - D3 AC 43 21 C0 31 29 EB
  02:49:08: RADIUS: Session-Timeout [27] 6 3600
  02:49:08: RADIUS: Termination-Action [29] 6 1
  02:49:08: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
  02:49:08: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
  02:49:08: RADIUS: Tunnel-Private-Group[81] 10 01:"healthy"
  02:49:08: RADIUS: Vendor, Cisco [26] 29
  02:49:08: RADIUS: Cisco AVpair [1] 23 "posture-token=Healthy"
  I suppose that the error appears because the attributes 64 and 65 are "Unsupported". Is it right?
  In RADIUS server I configure:
  attribute 64 = VLAN (13)
  attribute 65 = 802 (6)
  Below I attach switch configuration. The "healthy" vlan is configured in this one.
  Any help would be appreciated.
  Thanks and regards.
  Mart?n.

  I change the IOS and all work fine. The IOS must have the feature "NAC - L2 IEEE 802.1x".
  Other user has the same problem, he posted the question with the following subject: "NAC L2 802.1x VLAN assignment".In this question the problem is better described.

• Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?

  hi,
  is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
  in detail, we would like to assign this policy
      policy-map SET_EF
       class class-default
         set dscp ef
  to an interface. All traffic should be marked with a defined DSCP value.
  This works find when doing it statically with
      interface FastEthernet2/1
           service-policy input SET_EF
  but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
  that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
  we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
  unfortunately this seems to not work on Catalyst 45k and 37k.
  In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
  it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
      4503-E#sh aaa attributes
      AAA ATTRIBUTE LIST:
          Type=1     Name=disc-cause-ext                 Format=Enum
          Type=2     Name=Acct-Status-Type               Format=Enum
      <snip>
          Type=345   Name=sub-policy-In                  Format=String
          Type=346   Name=sub-qos-policy-in              Format=String
          Type=347   Name=sub-policy-Out                 Format=String
          Type=348   Name=sub-qos-policy-out             Format=String
  any input is welcome :-))
  best reagrds

  additionally to this discussion, i've just opened a service request with TAC.
  unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012......

• IKEv2 AnyConnect and Pool allocation via RADIUS

  I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
  e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
  home                    Cleartext-Password := "cisco"
                               Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
                               Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
                                Framed-Pool = "CUST-A-POOL"
  matt@home               Cleartext-Password := "test123"
  Group and user authorization information is then merged and cloned onto the virtual template:
  crypto ikev2 name-mangler EXTRACT-GROUP
  eap suffix delimiter @
  crypto ikev2 profile FlexVPN-IKEv2-Profile-1
  match fvrf IPSEC-FVRF
  match identity remote key-id FlexAnyConnect
  identity local dn
  authentication remote eap query-identity
  authentication local rsa-sig
  pki trustpoint cacert.org
  dpd 60 2 on-demand
  aaa authentication eap FlexVPN-AuthC-List1
  aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
  aaa authorization user eap cached
  virtual-template 1
  interface Virtual-Template1 type tunnel
  no ip address
  tunnel mode ipsec ipv4
  tunnel vrf IPSEC-FVRF
  tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
  However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
  *Aug 16 21:36:39.384 BST: RADIUS:  Framed-IP-Pool      [88]  13  "CUST-A-POOL"
  However, the crypto debugs state that an IP address cannot be assigned:
  *Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
  <snip>
  Payload contents:
  AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
  If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
  Cheers,
  Matt

  Marcin,
  Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
  As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
  Cheers,
  Matt

• Apply QoS profile using RADIUS attributes

  Hi all,
  Anyone delved into the use of RADIUS attributes to apply QoS values (DSCP/802.1p) to wireless users via a WLC?
  With the emergence of ISE and the concept of a shared SSID for several user types I may want to apply QoS profiles by user rather than SSID.
  Do you need to apply the maximum value to the SSID for the attribute-derived value to work?
  Can non-WMM client traffic be marked using this approach?
  Plenty to think about here...
  Any discussion welcome!
  Cheers
  Rob

  Yo can apply QoS RADIUS override.
  http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml
  Yes it would be best to apply the wlan max qos value to the level that you intend to use with the radius override. for example if you want to apply platinum qos for voice clients on the ssid, i would map the wlan to platinum qos.
  i am not sure on the next question. I think u can assign a DSCP/802.1p to a non WMM clients but I dont think the non wmm clients will benefit from it as they will not tag their traffic and hence the AP and subsequently the wired network will treat it as best effort (untagged).
  Thanks,

• Cisco 1602i + Authenticating users via RADIUS?

                 Hello,
  Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with.  I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection.  The Guest connection works fine, using WPA PSK.  However, I can't seem to get the RADIUS authentication to work.  Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing.  Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command.  Can someone guide me on what I'm doing wrong?  I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore.  I am very stumped.  Here's the relevant config:
  aaa new-model
  aaa group server radius rad_eap
  server 10.200.5.24
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone EST -5 0
  ip cef
  ip domain name gst
  dot11 syslog
  dot11 vlan-name guest vlan 255
  dot11 vlan-name user vlan 140
  dot11 ssid phoenix_2
     vlan 140
     band-select
     authentication open eap eap_methods
     mbssid guest-mode
  dot11 ssid walker_2
     vlan 255
     band-select
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 0353035E535879191B
  interface BVI1
  ip address 10.200.5.70 255.255.255.0
  ip default-gateway 10.200.5.1
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip route 0.0.0.0 0.0.0.0 10.200.140.1
  ip route 0.0.0.0 0.0.0.0 10.200.5.1
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  snmp-server community G!0bal RO
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
  radius-server vsa send accounting
  The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i. 

  Thanks Rasika, your link worked.  I had the authentication key before, but i removed it while I was trying different things.  My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group.  Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group.  It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
  I haven't tried the "erase startup-config" command yet, I will try that next. 
  Quick question, why are both authentication open and authentication network-eap needed?  I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

• ACS 4.2 Windows Radius Attributes for VPN-dial-in

  Hello,
  this Situation:
  Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
  the Problem:
  the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
  On the ASA-Log I can see a Message:
  %ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
  I've assigned following Attibutes:
  IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
  IETF Radius Attributes:
  006 Service Type: Framed
  007 Framed Protocol: ppp
  009 Framed-IP-Netmask: 255.255.255.255
  (not sure about) 022 Framed-Route: 0.0.0.0
  025 Class: <Group-Policy of ASA>
  does anyone of you know, what I'm making wrong?
  on The ASA I can't find any settings.
  Thanks for any advice

  O'Brien Simon
  Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ?  As this is what I was about to ask but noticed your post.
  Many thanks
  florrieford

• Send vlan via Radius with 802.1x Authentication

  Hi all.
  I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
  I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
  Reading docs, I have found these attributes:
  cisco-avpair="tunnel-type(#64)=VLAN(13)"
  cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
  but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
  Here are some outputs:
  Sending Access-Challenge of id 80 to 128.0.0.21:1812
  Cisco-AVPair = "tunnel-type=VLAN"
  EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
  Message-Authenticator = 0x00000000000000000000000000000000
  State = 0xf88b9673c199cb13def96563250cf8a7
  I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
  02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
  02:49:39: Attribute 26 75 0000000901457475
  02:49:39: Attribute 79 6 03010004
  02:49:39: Attribute 80 18 1ABB3507
  02:49:39: Attribute 1 10 74657374
  02:49:39: RADIUS: EAP-login: length of eap packet = 4
  02:49:39: RADIUS: EAP-login: radius didn't send any vlan
  so I can see that radius is not sending anything about vlan...
  Has anyone alredy tried this set up?
  Thank you in advance.
  Massimo Magnani.

  OK, so I may have glossed over that before. From your debug post, you had:
  Cisco-AVPair = "tunnel-type=VLAN"
  Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
  You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
  [64] Tunnel-Type – “VLAN” (13)
  [65] Tunnel-Medium-Type – “802” (6)
  [81] Tunnel-Private-Group-ID - "" OR ""
  They are defined in RFC 2868.
  Hope this helps,

• 802.1x dynamic VLAN assignment with Radius NPS Server

  I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
  I have followed this documentation,
  http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
  that basically says to use these Radius attributes,
  Tunnel-Medium-Type : 802
  Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
  Tunnel-Type  : VLAN
  There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
  and I have also tried that,
  cisco-avpair= "tunnel-type(#64)=VLAN(13)"
  cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
  My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
  Anybody know how to get dynamic VLAN assignment working with NPS?
  NPS on Win 2012 R2
  Domain controller separate Win 2012 R2 server
  Cisco 3550 switch

  Hi All, Can any one guide me to
  configure 802.1x with acs 5.0. Its totally new look and m not able to
  find document related to 802.1x.Thanks
  Hi,
  Check out the below link on how to configure 802.1x and ACS administration hope to help !!
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
  Ganesh.H

• Radius Attributes Supported by WLC? Guest bandwidth limiting

  Hello all..
  I've seen several mentions of limited guest user traffic usage by QoS settings and policy maps.. But my issue with this is, it's a global setting for that SSID. In my case, I have a 'Submit' button our Guest Internet page that does a hidden login of the user Guest. In the past, I would apply a sesion time out of 3hours and limit the bandwidth by quite a bit. However, for vendors and visitors that come in, there was a login section that they could input their uesr/pass given to them by the helpdesk and with radius attributes have an extended time out with greater bandwidth. However, I haven't been able to get this to work on the Controller based service, other then the time-out attribute. Is anyone doing it this way? What attributes does the WLC support?

  Have you looked at the v4.2 code? You can create different QoS Roles, and then assign different people to different roles.
  I've never tried this through RADIUS though.
  Regards,
  Richard

• WLC Management Admin via RADIUS

  I am trying to have a management user authenticate via radius and have full admin privileges.
  For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
  but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius?  Thanks.

  My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL.  When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console.  The last time this happened I had to reset the WLC and start over.  I don't want to do that again, so I need some way to get into the WLC.
  Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work.  My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS.  I have set the RADIUS (MS IAS) to return two attributes;
  1. Vendor-Specific -Vendor Code 14179, Value=management
  2. Service-Type - Value=Login
  When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user.  But the login prompt for the GUI comes back as if it has failed.  Same with the CLI login.  Now I can't get logged into the WLC.  How can I get into the box to manage it again?
  Thanks

• Cisco 2800 - Multiple VPNs Using Virtual-Template

  Hello List,
  I have a question related to the way of setting up multiple VPNs using
  virtual-template configuration (Cisco calls this Dynamic VPN): how can
  I make my configuration to be a "spoke" type VPN rather than "hub" type
  without using "crypto map" on the physical interface?
  Here is how it works now (the VPN hub config):
  !!! the VPN hub config
  crypto keyring PSKs
  pre-shared-key address <peer_ip> key 6 ************
  crypto isakmp profile ISAKMP_Profile
  keyring PSKs
  self-identity address
  match identity address <peer_ip> 255.255.255.255
  virtual-template 1
  crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac
  crypto ipsec profile IPSEC_Profile
  set transform-set Transform_Set
  set isakmp-profile ISAKMP_Profile
  interface Loopback1007
  description This is a public IP address from a range routed via my
  gatey IP address (see bellow)
  ip address <my_VPN-hub_ip> 255.255.255.255
  no ip redirects
  interface Multilink1
  description This is my gateway IP address facing the ISP
  ip address <my_public_IP> 255.255.255.252
  no ip redirects
  no ip unreachables
  ip nbar protocol-discovery
  ip nat outside
  ip virtual-reassembly
  rate-limit input access-group 102 8000 1500 2000 conform-action
  transmit exceed-action drop
  ip route-cache flow
  no cdp enable
  ppp multilink
  ppp multilink fragment delay 20
  ppp multilink interleave
  ppp multilink group 1
  ppp multilink multiclass
  service-policy output qos_pm-outbound
  interface Serial0/0/0
  description 1st Serial Interface to ISP
  bandwidth 2048
  no ip address
  encapsulation ppp
  ip route-cache flow
  no fair-queue
  ppp multilink
  ppp multilink group 1
  interface Serial0/0/1
  description 2nd Serial Interface to ISP
  bandwidth 2048
  no ip address
  encapsulation ppp
  ip route-cache flow
  no fair-queue
  ppp multilink
  ppp multilink group 1
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1007
  ip access-group vpn_acl-tunnel-encr-in in
  ip access-group vpn_acl-tunnel-encr-out out
  ip mtu 1400
  ip route-cache flow
  tunnel source Loopback1007
  tunnel mode ipsec ipv4
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  tunnel protection ipsec profile IPSEC_Profile
  service-policy output qos_pm-VPN
  ip access-list extended vpn_acl-tunnel-encr-in
  permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255
  ip access-list extended vpn_acl-tunnel-encr-out
  permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255
  !!! the Spoke VPN is configured by my peers (Cisco routers, PIXes,
  Cisco VPN concentrators)
  !!! all follow the standard crypto map config on the physical
  interface.
  !!! i.e. http://www.vpnc.org/InteropProfiles/cisco-ios.txt
  It is obvious that with my router configured as a VPN hub, if the
  tunnel dies, I need to wait for the peer to reset the tunnel, all this
  time my clients in my network are not able to access the remote sites.
  The reason to use the virtual-template interfaces as suppose to
  traditional "crypto map" way, is that my peers do not want to share the
  same VPN end-point between themselves (different companies all
  together) and they are very strict in regards to ACLs. As I don't have
  a VPN device for each one of them and their number increases (I have 5
  separate tunnels right now with a potential grow to 15 in the next 3
  months), I need to find a way to get rid of the hub config in my end (I
  did not have much choice there when I migrated to this platform from a
  linux box).
  Pros for the Virtual-Template:
  - separate QoS for each tunnel
  - ACLs configured directly on the tunnel interface (grater flexibility)
  - tunnel end-point IP address can be part of a range BGP advertised via
  multiple ISP links
  Cons:
  - hub config, the tunnel needs to be reseted by the peer
  Any help is very much appreciated. Thank you,
  Adrian

  Hope the following link will help you
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

  Hello at all,
  is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
  All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
  To be more detailed:
  At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
  Thank you,
  Christian

  Hi Christian.
  This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
  "From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
  In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
  FlexConnect VLAN Central Switching Summary
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
  •If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
  •If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
  Enjoy your weekend & I am sure you will be able to get this working.
  HTH
  Rasika
  *** Pls rate all useful responses ****

• ACS 3.3 Send Radius Attribute 135 & 136

  Hi
  I need an ACS box to return IETF RADIUS attributes 135 & 136 to a NAS for the assignment of DNS servers to clients.
  The ACS 3.3 user guide lists these as supported IETF RADIUS Attributes however they don't seem to be available under Interface Configuration--> Radius IETF.
  Would anyone know how I can enable these ?
  Thanks
  Leon

  Hi Leon,
  That is quite strange. You should have those attributes.
  As you mentioned you have ACS SE, if you could console into it. Issue command,
  stop csadmin
  start csadmin
  Or rebooting ACS SE will re-start the CSAdmin server.
  If you are restarting services from, System Configuration > Service Control, then that wont restart the CSAdmin service.
  Give that a try.
  Regards,
  Prem