PPPoX Virtual-Template assignment via Radius Attribute
I'd like to optionally apply ACLs to PPP users (PPPoX). I see two strategies: a) apply an ACL directly via radius attributes or b) define the ACL in the Virtual-Template on the BRAS and determine the Virtual-Template ID via radius attribute. Has anyone done this? If so, any suggestions on the best way to move forward? I think I'd prefer option B as I could also use it to assign VRFs etc (one Virtual-Template per VRF).
TIA
The only way I could get this to work is have the ACS server reference an ACL configured on the switch via name or number and send in the filter-id attribute. On the switch I configured the default setting for attribute 11 to apply inbound "
radius-server attribute 11 default direction in". If you do a "sh authentication sessions interface gx/x" it'll show the filter-ID setting but if you do a "show ip interface gx/x" it still shows the default-acl being applied. It works, just a bit confusing because of that default-acl still showing up. Anyone else experience the same?
Similar Messages
-
NAC 802.1x: VLAN assignment via RADIUS
I'm deploy a 802.1x NAC solution. Users authenticate ok but the VLAN is not assigned to the port.
The RADIUS server send the attributes to the NAD (switch 3560). I see the following lines in the radius debug output:
02:49:08: RADIUS: Received from id 1645/4 192.168.1.1:1645, Access-Accept, len 267
02:49:08: RADIUS: authenticator AB 90 94 95 D0 86 04 E5 - D3 AC 43 21 C0 31 29 EB
02:49:08: RADIUS: Session-Timeout [27] 6 3600
02:49:08: RADIUS: Termination-Action [29] 6 1
02:49:08: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
02:49:08: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
02:49:08: RADIUS: Tunnel-Private-Group[81] 10 01:"healthy"
02:49:08: RADIUS: Vendor, Cisco [26] 29
02:49:08: RADIUS: Cisco AVpair [1] 23 "posture-token=Healthy"
I suppose that the error appears because the attributes 64 and 65 are "Unsupported". Is it right?
In RADIUS server I configure:
attribute 64 = VLAN (13)
attribute 65 = 802 (6)
Below I attach switch configuration. The "healthy" vlan is configured in this one.
Any help would be appreciated.
Thanks and regards.
Mart?n.I change the IOS and all work fine. The IOS must have the feature "NAC - L2 IEEE 802.1x".
Other user has the same problem, he posted the question with the following subject: "NAC L2 802.1x VLAN assignment".In this question the problem is better described. -
Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?
hi,
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF
class class-default
set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1
service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes
AAA ATTRIBUTE LIST:
Type=1 Name=disc-cause-ext Format=Enum
Type=2 Name=Acct-Status-Type Format=Enum
<snip>
Type=345 Name=sub-policy-In Format=String
Type=346 Name=sub-qos-policy-in Format=String
Type=347 Name=sub-policy-Out Format=String
Type=348 Name=sub-qos-policy-out Format=String
any input is welcome :-))
best reagrdsadditionally to this discussion, i've just opened a service request with TAC.
unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012...... -
IKEv2 AnyConnect and Pool allocation via RADIUS
I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
home Cleartext-Password := "cisco"
Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
Framed-Pool = "CUST-A-POOL"
matt@home Cleartext-Password := "test123"
Group and user authorization information is then merged and cloned onto the virtual template:
crypto ikev2 name-mangler EXTRACT-GROUP
eap suffix delimiter @
crypto ikev2 profile FlexVPN-IKEv2-Profile-1
match fvrf IPSEC-FVRF
match identity remote key-id FlexAnyConnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cacert.org
dpd 60 2 on-demand
aaa authentication eap FlexVPN-AuthC-List1
aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
aaa authorization user eap cached
virtual-template 1
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel vrf IPSEC-FVRF
tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
*Aug 16 21:36:39.384 BST: RADIUS: Framed-IP-Pool [88] 13 "CUST-A-POOL"
However, the crypto debugs state that an IP address cannot be assigned:
*Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
<snip>
Payload contents:
AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
Cheers,
MattMarcin,
Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
Cheers,
Matt -
Apply QoS profile using RADIUS attributes
Hi all,
Anyone delved into the use of RADIUS attributes to apply QoS values (DSCP/802.1p) to wireless users via a WLC?
With the emergence of ISE and the concept of a shared SSID for several user types I may want to apply QoS profiles by user rather than SSID.
Do you need to apply the maximum value to the SSID for the attribute-derived value to work?
Can non-WMM client traffic be marked using this approach?
Plenty to think about here...
Any discussion welcome!
Cheers
RobYo can apply QoS RADIUS override.
http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml
Yes it would be best to apply the wlan max qos value to the level that you intend to use with the radius override. for example if you want to apply platinum qos for voice clients on the ssid, i would map the wlan to platinum qos.
i am not sure on the next question. I think u can assign a DSCP/802.1p to a non WMM clients but I dont think the non wmm clients will benefit from it as they will not tag their traffic and hence the AP and subsequently the wired network will treat it as best effort (untagged).
Thanks, -
Cisco 1602i + Authenticating users via RADIUS?
Hello,
Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with. I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection. The Guest connection works fine, using WPA PSK. However, I can't seem to get the RADIUS authentication to work. Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing. Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command. Can someone guide me on what I'm doing wrong? I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore. I am very stumped. Here's the relevant config:
aaa new-model
aaa group server radius rad_eap
server 10.200.5.24
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -5 0
ip cef
ip domain name gst
dot11 syslog
dot11 vlan-name guest vlan 255
dot11 vlan-name user vlan 140
dot11 ssid phoenix_2
vlan 140
band-select
authentication open eap eap_methods
mbssid guest-mode
dot11 ssid walker_2
vlan 255
band-select
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 0353035E535879191B
interface BVI1
ip address 10.200.5.70 255.255.255.0
ip default-gateway 10.200.5.1
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.200.140.1
ip route 0.0.0.0 0.0.0.0 10.200.5.1
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community G!0bal RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
radius-server vsa send accounting
The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i.Thanks Rasika, your link worked. I had the authentication key before, but i removed it while I was trying different things. My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group. Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group. It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
I haven't tried the "erase startup-config" command yet, I will try that next.
Quick question, why are both authentication open and authentication network-eap needed? I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS? -
ACS 4.2 Windows Radius Attributes for VPN-dial-in
Hello,
this Situation:
Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
the Problem:
the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
On the ASA-Log I can see a Message:
%ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
I've assigned following Attibutes:
IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
IETF Radius Attributes:
006 Service Type: Framed
007 Framed Protocol: ppp
009 Framed-IP-Netmask: 255.255.255.255
(not sure about) 022 Framed-Route: 0.0.0.0
025 Class: <Group-Policy of ASA>
does anyone of you know, what I'm making wrong?
on The ASA I can't find any settings.
Thanks for any adviceO'Brien Simon
Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ? As this is what I was about to ask but noticed your post.
Many thanks
florrieford -
Send vlan via Radius with 802.1x Authentication
Hi all.
I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
Reading docs, I have found these attributes:
cisco-avpair="tunnel-type(#64)=VLAN(13)"
cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
Here are some outputs:
Sending Access-Challenge of id 80 to 128.0.0.21:1812
Cisco-AVPair = "tunnel-type=VLAN"
EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf88b9673c199cb13def96563250cf8a7
I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
02:49:39: Attribute 26 75 0000000901457475
02:49:39: Attribute 79 6 03010004
02:49:39: Attribute 80 18 1ABB3507
02:49:39: Attribute 1 10 74657374
02:49:39: RADIUS: EAP-login: length of eap packet = 4
02:49:39: RADIUS: EAP-login: radius didn't send any vlan
so I can see that radius is not sending anything about vlan...
Has anyone alredy tried this set up?
Thank you in advance.
Massimo Magnani.OK, so I may have glossed over that before. From your debug post, you had:
Cisco-AVPair = "tunnel-type=VLAN"
Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
[64] Tunnel-Type VLAN (13)
[65] Tunnel-Medium-Type 802 (6)
[81] Tunnel-Private-Group-ID - "" OR ""
They are defined in RFC 2868.
Hope this helps, -
802.1x dynamic VLAN assignment with Radius NPS Server
I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
I have followed this documentation,
http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
that basically says to use these Radius attributes,
Tunnel-Medium-Type : 802
Tunnel-Pvt-Group-ID : My_VLAN_Number (also tried VLAN name)
Tunnel-Type : VLAN
There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
and I have also tried that,
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
My user authenticates on the port fine, but doesn't get put into a VLAN. If I add "sw acc vlan 110" then the user authenticates and then does get an IP address in that VLAN and all is well.
Anybody know how to get dynamic VLAN assignment working with NPS?
NPS on Win 2012 R2
Domain controller separate Win 2012 R2 server
Cisco 3550 switchHi All, Can any one guide me to
configure 802.1x with acs 5.0. Its totally new look and m not able to
find document related to 802.1x.Thanks
Hi,
Check out the below link on how to configure 802.1x and ACS administration hope to help !!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
Ganesh.H -
Radius Attributes Supported by WLC? Guest bandwidth limiting
Hello all..
I've seen several mentions of limited guest user traffic usage by QoS settings and policy maps.. But my issue with this is, it's a global setting for that SSID. In my case, I have a 'Submit' button our Guest Internet page that does a hidden login of the user Guest. In the past, I would apply a sesion time out of 3hours and limit the bandwidth by quite a bit. However, for vendors and visitors that come in, there was a login section that they could input their uesr/pass given to them by the helpdesk and with radius attributes have an extended time out with greater bandwidth. However, I haven't been able to get this to work on the Controller based service, other then the time-out attribute. Is anyone doing it this way? What attributes does the WLC support?Have you looked at the v4.2 code? You can create different QoS Roles, and then assign different people to different roles.
I've never tried this through RADIUS though.
Regards,
Richard -
WLC Management Admin via RADIUS
I am trying to have a management user authenticate via radius and have full admin privileges.
For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius? Thanks.My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL. When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console. The last time this happened I had to reset the WLC and start over. I don't want to do that again, so I need some way to get into the WLC.
Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work. My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS. I have set the RADIUS (MS IAS) to return two attributes;
1. Vendor-Specific -Vendor Code 14179, Value=management
2. Service-Type - Value=Login
When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user. But the login prompt for the GUI comes back as if it has failed. Same with the CLI login. Now I can't get logged into the WLC. How can I get into the box to manage it again?
Thanks -
Cisco 2800 - Multiple VPNs Using Virtual-Template
Hello List,
I have a question related to the way of setting up multiple VPNs using
virtual-template configuration (Cisco calls this Dynamic VPN): how can
I make my configuration to be a "spoke" type VPN rather than "hub" type
without using "crypto map" on the physical interface?
Here is how it works now (the VPN hub config):
!!! the VPN hub config
crypto keyring PSKs
pre-shared-key address <peer_ip> key 6 ************
crypto isakmp profile ISAKMP_Profile
keyring PSKs
self-identity address
match identity address <peer_ip> 255.255.255.255
virtual-template 1
crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac
crypto ipsec profile IPSEC_Profile
set transform-set Transform_Set
set isakmp-profile ISAKMP_Profile
interface Loopback1007
description This is a public IP address from a range routed via my
gatey IP address (see bellow)
ip address <my_VPN-hub_ip> 255.255.255.255
no ip redirects
interface Multilink1
description This is my gateway IP address facing the ISP
ip address <my_public_IP> 255.255.255.252
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
rate-limit input access-group 102 8000 1500 2000 conform-action
transmit exceed-action drop
ip route-cache flow
no cdp enable
ppp multilink
ppp multilink fragment delay 20
ppp multilink interleave
ppp multilink group 1
ppp multilink multiclass
service-policy output qos_pm-outbound
interface Serial0/0/0
description 1st Serial Interface to ISP
bandwidth 2048
no ip address
encapsulation ppp
ip route-cache flow
no fair-queue
ppp multilink
ppp multilink group 1
interface Serial0/0/1
description 2nd Serial Interface to ISP
bandwidth 2048
no ip address
encapsulation ppp
ip route-cache flow
no fair-queue
ppp multilink
ppp multilink group 1
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1007
ip access-group vpn_acl-tunnel-encr-in in
ip access-group vpn_acl-tunnel-encr-out out
ip mtu 1400
ip route-cache flow
tunnel source Loopback1007
tunnel mode ipsec ipv4
tunnel sequence-datagrams
tunnel checksum
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC_Profile
service-policy output qos_pm-VPN
ip access-list extended vpn_acl-tunnel-encr-in
permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended vpn_acl-tunnel-encr-out
permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255
!!! the Spoke VPN is configured by my peers (Cisco routers, PIXes,
Cisco VPN concentrators)
!!! all follow the standard crypto map config on the physical
interface.
!!! i.e. http://www.vpnc.org/InteropProfiles/cisco-ios.txt
It is obvious that with my router configured as a VPN hub, if the
tunnel dies, I need to wait for the peer to reset the tunnel, all this
time my clients in my network are not able to access the remote sites.
The reason to use the virtual-template interfaces as suppose to
traditional "crypto map" way, is that my peers do not want to share the
same VPN end-point between themselves (different companies all
together) and they are very strict in regards to ACLs. As I don't have
a VPN device for each one of them and their number increases (I have 5
separate tunnels right now with a potential grow to 15 in the next 3
months), I need to find a way to get rid of the hub config in my end (I
did not have much choice there when I migrated to this platform from a
linux box).
Pros for the Virtual-Template:
- separate QoS for each tunnel
- ACLs configured directly on the tunnel interface (grater flexibility)
- tunnel end-point IP address can be part of a range BGP advertised via
multiple ISP links
Cons:
- hub config, the tunnel needs to be reseted by the peer
Any help is very much appreciated. Thank you,
AdrianHope the following link will help you
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml -
Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points
Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
Flexconnect AP - dynamic VLAN and local/central switched via radius possible?
Hello at all,
is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
To be more detailed:
At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
Thank you,
ChristianHi Christian.
This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
"From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
FlexConnect VLAN Central Switching Summary
Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
•If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
•If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
•If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
•If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
•If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
•If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
•If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
Enjoy your weekend & I am sure you will be able to get this working.
HTH
Rasika
*** Pls rate all useful responses **** -
ACS 3.3 Send Radius Attribute 135 & 136
Hi
I need an ACS box to return IETF RADIUS attributes 135 & 136 to a NAS for the assignment of DNS servers to clients.
The ACS 3.3 user guide lists these as supported IETF RADIUS Attributes however they don't seem to be available under Interface Configuration--> Radius IETF.
Would anyone know how I can enable these ?
Thanks
LeonHi Leon,
That is quite strange. You should have those attributes.
As you mentioned you have ACS SE, if you could console into it. Issue command,
stop csadmin
start csadmin
Or rebooting ACS SE will re-start the CSAdmin server.
If you are restarting services from, System Configuration > Service Control, then that wont restart the CSAdmin service.
Give that a try.
Regards,
Prem
Maybe you are looking for
-
I have a Mid 2011 21.5 baseline iMac which I bought in March 2012. I noticed it just a couple of days ago, there's a tiny grey "speck" in the middle of my screen. I initially thought it was a speck of dust, which I tried to clean off with a microfibe
-
AdobeEdge - Using variables within a symbol
I am completely new to Adobe edge, but I do have a little development experience (VB, VBA, C#). I would like to create a global variable when the animation starts (strClicked = "No" - or similar). When one of the buttons is clicked on I would like t
-
Record voice using internal microphone - How?
Hi, I have a voice tape recording which i want to record digitally to the computer so I can burn a CD. I tried quicktime but they want me to buy it and i have a vague memory of years ago using quicktime standard at the time and i could do it free. An
-
Order by rDate desc is not working
Hello, order by rDate desc is not working in my following query select cv_id,to_char(rDate,'Month dd, yyyy') from jobResponses where job_id=35 and (responseStatus=1 OR responseStatus=2) order by rDate desc March 03, 2012 March 03, 2012 March
-
Ho do i stop this problem from happening please. I deleted some programs after taking advise yesterday. I use a sony vaoi. The problem was solved, but after updating to latest i tunes software yesterday it has started again. Everytime I close i tunes