Radius NAC VLAN select support

Similar Messages

• Radius Nac

  Hi,
  I try to mount a NAC lab with the following architecture :
  - 802.1x on switch ports
  - ACSv5 with an external database (windows) for machine and user authentification
  - ACS v5 do vlan assignement and it works great.
  - Nac Manager
  - Nac agent on workstations : tried with CTA or CAA
  I try to add a posture validation to check for the presence of an antivirus.
  So I insalled a NAC Manager and add a "External Policy Check" on my ACS policy rule.
  The Endpoint has CTA or CCA for posture validation.
  It seems ACS doen't even try to make the request to the manager. I get the following error in ACS :
  STEP_79=15038 Skipping External Policy because of missing or malformed required attributes
  My question is : What do I need to do external posture validation with acs5 to a Nac Manager.
  The guide reference I used is : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/common_scenarios.html#wp1053461
  Thanks for your answer
  Regards

  I think with radius the vlan select and dynamic vlan assignment are two different topics. You can have ISE set users on different vlans within the same WLAN as long as the interface is present on the controller. I have tested this and works just fine.
  The vlan select maybe a topic that the wireless folks can shed some light on.
  Thanks
  Tarik Admani
  *Please rate helpful posts*

• RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs

  Could someone please tell me is this 100% correct?
  "RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs"
  Any ideas why? Does anyone have a way around this?
  As a workaround I was thinking of setting up one broadcast SSID for guests and one non-broadcast SSID for RADIUS assigned VLANs, however i'd prefer to have both broadcast due to numerous Vista and PDA connection issues.

  Hi.
  Thanks for your reply.
  That is what I would like to do; have one SSID and assign the users to different VLANs based on policy.
  I have all the VLANs and subinterfaces set up correctly and working independently, but the VLAN assigment does not seem to work correctly.
  If I do a "show dot11 association all-client" the RADIUS attribute appears to have altered the VLAN, but the device has no connectivity and cannot DHCP.
  This is with 1130AG in autonomous mode and Microsoft IAS as RADIUS.
  Apparently there may be a problem with mbssid and RADIUS assigned VLANs.

• Ise radius/nac

  Can ISE 1.1 act as a RADIUS for WGB through WLC?
  thank  you

  Tarik,
  Thanks for your answer, here is the problem !!!
  In order to do PROFILING/POSTURING and all that for wireless clients here is what's needed:
  Need to go to WLC (wireless controller) and choose RADIUS/NAC for the SSID.
  So SSID = test RADIUS/NAC - then all normal clients go through ISE and get postured and profiled and all that works fine except...
  WGBs cannot connect to SSID=test at all and they do not appear on ISE as an attempt at all.
  As soon as I remove option RADIUS/NAC from WLC wgb connects and shows up on ISE fine and get authenticated ---> you would say well there you go that's ur problem , well yeah but if i DISABLE Radius/Nac option from WLC I lose the ability to control normal users that connect to SSID=test so it would just be PERMIT/DENY ACCESS based on username and the whole point of ISE would be ACS or Simple Radius Server.
  Do you get my point?
  Thank you.
  P.s so for me to POSTURE/PROFILE wireless clients I need to use RADIUS/NAC option and for WGBs I have to setup a NEW SSID and leave that SSID without RADIUS/NAC option so it can only authenticate through ISE and not posture/profile clients, and I do not need to posture/profile clients behind WGB (it would be great but I don't necessarily need to, and I know they don't support CoA Change of Access attribute in RADIUS)

• Vlan Select & Layer 2 Multicast optimization

  I am going to implement this vlan select feature in my campus network. We are running on 7.3 & planning to move into 7.4 WLC code as well. I use below reference document for this task.
  WLC 7.2 VLAN Select and Multicast Optimization Features Deployment Guide
  I am bit confuse about layer 2 multicast optimization. Document says we can enable/disable by using below CLI commands. "
  config network multicast l2mcast <enable|disable > <interface>"
  I have 4 interfaces called student-wireless-1 to 4 (vlan 1161-1164) map into single interface group. For layer 3 multicast I will make vlan 1161 as the multicast interface with "multicast vlan feature" enabled. For layer 2 what should I do ?  Is layer 2 multicast enable on all these interfaces by default ? If so should I disable l2 multicast on 3 of these interfaces like below ? Would there be any issue of disabling this layer 2 multicast on those interfaces ?
  config network multicast l2mcast disable student-wireless-2
  config network multicast l2mcast disable student-wireless-3
  config network multicast l2mcast disable student-wireless-4
  If it is not enabled by default, shoud I go ahead enable it on one interface like below ?
  config network multicast l2mcast enable student-wireless-1
  If someone can explain this that would be highly appreciated.

  Thanks for the help but I found some further information. Some switches (2955, 2960, 3560 or 3750) can act as a "multicast querier", taking place of a multicast router without actually needing to support multicast routing. This means you dont actually need IP Services IOS or a layer 3 switch.
  Configuation as per below;
  http://www.cisco.com/en/US/customer/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00803a9a29.html#wp1187873
  Supported platforms below (look for igmp querier);
  http://www.cisco.com/en/US/customer/tech/tk828/technologies_tech_note09186a0080122a70.shtml#topic3
  Thanks for putting me on the right track however.

• VLAN Select with firewall interfaces

  We are looking to implement vlan select on a wireless network. This network needs to be terminated behind the firewall. We were looking at putting the layer 3 interfaces on the core, then using a route-map to change the next hop to the common firewall interface. Is there a better way to configure such a setup?

  Yup,
  There should be no problem with such configuration. I suspect something is misconfigured on switches. Are you sure both ports are trunks and both are configured as single etherchannel in lacp mode on switches?
  Because VLANs are configured over bonds - I'd rather suspect LACP misconfiguration not VLANs here. AFAIK you should be having problems without using VLANs too.
  Here is my config which just works and there are couple vlans configured over bond0:
  Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
  Bonding Mode: IEEE 802.3ad Dynamic link aggregation
  Transmit Hash Policy: layer2 (0)
  MII Status: up
  MII Polling Interval (ms): 250
  Up Delay (ms): 500
  Down Delay (ms): 500
  802.3ad info
  LACP rate: slow
  Min links: 0
  Aggregator selection policy (ad_select): stable
  Active Aggregator Info:
          Aggregator ID: 1
          Number of ports: 4
          Actor Key: 17
          Partner Key: 40
          Partner Mac Address: 02:00:00:00:00:0c
  Slave Interface: eth0
  MII Status: up
  Speed: 1000 Mbps
  Duplex: full
  Link Failure Count: 0
  Permanent HW addr: 5c:f3:fc:da:bb:14
  Aggregator ID: 1
  Slave queue ID: 0
  Slave Interface: eth1
  MII Status: up
  Speed: 1000 Mbps
  Duplex: full
  Link Failure Count: 0
  Permanent HW addr: 5c:f3:fc:da:bb:16
  Aggregator ID: 1
  Slave queue ID: 0
  Slave Interface: eth2
  MII Status: up
  Speed: 1000 Mbps
  Duplex: full
  Link Failure Count: 0
  Permanent HW addr: 00:10:18:a5:bb:80
  Aggregator ID: 1
  Slave queue ID: 0
  Slave Interface: eth3
  MII Status: up
  Speed: 1000 Mbps
  Duplex: full
  Link Failure Count: 0
  Permanent HW addr: 00:10:18:a5:bb:82
  Aggregator ID: 1
  Slave queue ID: 0
  Oracle VM documentation states only that mode=6 of bonding is not supported with VLANs, but mode=4 is frequently used with Oracle VM.
  Regards,
  Michal

• VLAN Select (Interface groups) and Outdoor AP 1552

  Hi board,
  I'm just reading the 7.2 release configuration guide and found this:
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_ports_interfaces.html#wp1384874
  Chapter VLAN Select - "Guidelines and Limitations"
  The following lightweight access points are  supported: Cisco Aironet 1120, 1230, 1130, 1040, 1140, 1240, 1250, 1260,  3500, 1522/1524 Access Points, and 800 Series access points
  Does anybody know if the 1552 outdoor AP (local mode) is supported with VLAN select? It's not listed in the config guide (as well as the 3600). I surely hope so :-)

  As long as the 1552 is in local mode, it has the same features as the other AP's listed and vlan select is one of them. If you change the role to bridge, then no.
  Sent from Cisco Technical Support iPhone App

• Not able to add Select Supported Document Types

  Hi
  I am new to Oracle B2B.
  Going through the steps given in the tutorial http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10229/b2b_tps.htm#BABGAJDE
  Completed till 5.3 - Task 2 (Add a User in the Oracle B2B Interface)
  And the Next thing,
  I am not able to Add Select Supported Document Types.When I click on the "Add supported document type for the selected user", i can see "CUSTOM", "EDI_EDIFACT" etc... but in that screen my "Add" Button was disabled.
  Please let me know how to proceed with this.
  Thanks,
  Deepthi.
  Edited by: 796969 on 27/09/2010 14:11

  Hi Deepthi,
  You can download the samples from below location. Samples also has document for step by step configuraion:
  B2B Samples are part of SOA samples:
  http://www.oracle.com/technology/sample_code/products/soa/index.html
  Developer Notes / Step by Step configuration guide:
  http://www.oracle.com/technology/products/soa/b2b/index.html
  http://www.oracle.com/technology/products/soa/b2b/collateral/B2B_TU001_EDI.pdf
  http://www.oracle.com/technology/products/soa/b2b/collateral/B2B_TU002_HL7.pdf
  http://www.oracle.com/technology/products/soa/b2b/collateral/B2B_TU003_ebxml.pdf
  http://blogs.oracle.com/oracleb2bgurus/2010/04/oracle_b2b_started_kit.html
  Please let us know which usecase you are trying for more details.
  Rgds,
  Nitesh Jain
  [email protected]

• PDF viewer with selection support?

  I need to copy and paste some text strings from PDF document.
  To my suprise - PDF viewers generaly don't support selecting text.
  For example in epdfview and in gv I can't find way to select text with mouse.
  In xpdf it is possible, but it isn't very natural (try it yourself).
  Are there any other good PDF viewers with selection support?
  Or do you know how to enable it in epdfview?

  when you create a PDF you can deny copy, printing and other stuff. maybe the pdf document has copy text deny and you cannot select any text

• WLC 5508, vlan select, reserved address in external DHCP server

  Hi guys,
  I have a deploy with a WLC 5508 version 7.0.116.0, APs mode local and vlan select feature enable. The issue is that the reserved IP address in external DHCP server not work. The DHCP contains a reserved IP address associates with mac address, but the assignement of IP is not match with de policies in DHCP. All others services operate normally.
  This reserved assignment operate previusly to modificate the WLAN to vlan select feature. Help me to improve this situation.
  Thanks.-
  Best regards

  Hello Abhishek, thanks for you quick answer....
  the link was a document used for the deploy, but not especifict nothing about the reserved IP address for particular host. In other words, the reserved IP address (through MAC address) in external DHCP server not work when "vlan select" its enable.

• FlexConnect & ISE ACLs - AAA Overide/RADIUS NAC

  Hi Chaps,
  I have 3 ACLs configured on a WLC for CWA, Corp and Guest users. On local mode APs, theses are called up using the Airespace fields in the ISE policies dependant on what rule is hit.
  ACL-WEBAUTH-REDIRECT
  ACL-PERMIT-CORP-TRAFFIC
  ACL-PERMIT-GUEST-TRAFFIC
  Will FlexConnect APs call up the ACLs in the same way as a local mode as the WLAN will be AAA Override/RADIUS NAC or will FC ACLs be required.
  Cheers,
  N

  I believe you need to create Flex ACLs on the fWLC.  These Flex ACLs can be called the same as regular ACLs so in ISE you wouldnt have to change the auth profile.

• Requirements for VLAN select feature in 5508 WLC

  Hello,
  We implemented WLC 5508 software version 7.3, with 8 Aironet devices, most of them are AIR-LAP1131AG-E-K9, and two AIR-LAP1242AG-E-K9.
  I could really have benefits of VLAN select feature, but I noticed that it's not working like it should. Two interfaces are in Interface group, but from 45 clients only few of them has IP address from one subnet, others have from second sub.
  I see requirements for this to work is 32 MB of flash on LWAP devices..I only have 16 MB..
  Is there a way to work this thing out? upgrade of flash on devices or something ?
  Thank you in advance and kind regards..
  Lovro

  Thx L - as usual, I need to read before speaking
  Interesting topic though.  I would assume that the MAC hashing algorithm used would be similar to how etherchannel maintaines load balancing (src-dst) etc..  What I don't quite understand is the definition of "dirty".  What makes an interface "dirty"?  Given the flow chart depicted in the link you sent, I'm wondering how the interface assignments are kept in te switch.  I'm assuming you create the interfaces, create the interface group, assign the interfaces to the group and finally assign the interface group to the WLAN.  During all this time, how are the stations using that WLAN being handled?  Almost should clear everything out, create the group tied to the wlan, THEN join the stations one at a time and see what interface they get assigned to.  At that point it should be balanced.  Also, it's my understanding that those stations should keep their assigned interface the next time they connect unless there is a "dirty" condition which I don't quite understand yet.
  Anyway - rambling now.  Loking forward to your test results.  Thx again! //art

• VLAN Select - Interface dirty - Index based on Mac Address

  Hello Experts,
  we are testing the VLAN Select Feature with a 5508 controller, version 7.0.230 and two /23 DHCP Scopes on an external dhcp server. Our cookbook is following document:
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml
  Now i have a few questions
  1 - Is there any chance to see the calculated index based on the Mac Address to which the interface is assigned to the client. I try "debug client MAC-ADDRESS" and "debug dhcp", Maybe i overlook it, but i can't find any information to that index.
  2 - Is there a cli command to delete the index? It would be great for testing purposes and troubleshooting.
  3 - Is there a cli command to look, if the interface is "dirty"?
  4 - Our DHCP Server has a lease time of 5 Minutes. Is it possible to set the interface dirty time to a value less than 30 minutes?
  Best Regards,
  Michael

  I know this is an old post - but I ran across it trying to find an answer to the same questions.
  Did you ever find any answers?  I did find an answer to question 3, show interface group detailed.
  But I haven't found a way to delete the indexes short of rebooting all the controllers, and apparently you would have to reboot them all at the same time.

• Vlan Select and DHCP reservations on a WISM with code 7.0.116.0

  We went to using vlan select this semester and have had a couple of issues where clients (printers) wont pull their reserved ip from dhcp. From what I've read vlan select can handle static ip addresses but can it handle dhcp reservations if the current vlan selected in the round robin function is not the vlan that the ip is reserved in?

  George,
  Are you talking about a dhcp mac reservation for a device on all vlans in the bundle? If so, you can... The issue I ran into is that clients had to connect to a wireless printer and a wireless projector and they connected to it via ip address. So it became a nightmare with users. They just kept complaining that it works some days and other days it doesn't. Some devices were powered off after it was used. It would be nice if you can import a list of Mac address and specify what interface it is allowed on... That would make it easy.
  Sent from my iPhone

• APs and switch voice vlans also supporting data traffic

  hi, i hv a wireless IP phone,AP, 2960 switch1 and another 2960 switch2. My question is, if i configured voice vlans on th access ports on th switch1 (for voice and data), this switch1 is connected to the AP and the IP phone gets connected to the AP somehow (please guide),will this configuration work or i m missing alot of info.?

  thx srahn, 1 more question, if i configured a single voice vlan on my switch1 (supporting data and voice)like this..
  voice vlan on switch1:
  mls qos
  interface fastethernet 0/1
  description connection to Accesspoint1
  mls qos trust cos
  switchport mode trunk
  switchport mode encapsulation dot1q
  switchport voice vlan 10
  switchport priority extend trust
  interface fastethernet 0/0
  description connection to switch2 for inter-vlan
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 2
  Then a native vlan on AP like this ...
  interface fastethernet 0.2
  encapsulation dot1q 2 native
  interface dot11radio 0.2
  encapsulation dot1q 2 native
  Voices (vlan 10) vlan on AP like this ...
  interface dot11radio 0
  ssid voices
  vlan 10
  authentication open
  interface fastethernet 0.10
  encapsulation dot1Q 10
  bridge-group 10
  interface dot11radio 0.10
  encapsulation dot1Q 10
  bridge-group 10
  Looking at this configuration examaple, how do i support voice and data traffic on th vlans on the AP.... Do i also have to configure a native vlan (for data) on switch1? b'se i intend to have 1 vlan tht supports both voice and data.
  **** Will the configuration above work for my network?