Vlan Assignment

Hi, presently, I use ISE v1.1.2 to push VLAN by their number id. no issue using this method.
Now, I want to start pushing VLAN by their names. Using this method, the client (wireless) is not placed in the VLAN.
All switches have their VLAN name configured. Has anybody ever used this method with success.
I'm using WLC 7.6.130 with FlexConnect local switching
Thanks !

Hi Marvin,
I was trying to push vlan (dVlan) by ISE policy but it does not work for me. I use the Vlan ID and in the switch I can see the vlan is pushed to the ports (show auth sen int gix/x, in vlan policy, see attached). however the client's IP is not changing with new vlan and its still gets the IP from the default vlan configured on the port.
We have a new ISE Authz policy for certain group who should get IP from that particular vlan and then DACL will be pushed. I'm not sure whether both DACL and dynamic Vlan both works in ISE (we are using ISE 1.3).
Appreciate if you can give advise on this.
thanks in advance.

Similar Messages

802.1X and automatic vlan assignment

Hello,
I'm testing a 802.1X infrastructure :
Switch : Try with Netgear Prosafe GS728TPS and Cisco SF300
Radius Server : Microsoft NPS
DHCP Relay for address assignement by Vlan
I have created some policies with simple authentication for testing (MSCHAP V2) and vlan assignement or not (depend on Active Directory Group).
All work fine on a Windows 7 Pro. The user 1 is authenticated whithout vlan and the user 2 is authenticated with a vlan.
The DHCP works fine and the 2 users have an IP.
When I try on MAC OS X (ver. 10.7.2 and ver. 10.9.2) the user 1 (whithout vlan) work fine. I have an IP and access to the LAN. But the user 2 (with vlan) don't work. The Mac don't get an IP and I'm not on the VLAN. If i push manually an IP of the vlan, I have no access to the VLAN.
There are some specifics parameters to add for enable vlan on Mac OS X ?
Thanks for reply
Ben

Edit : It's for wired connections

WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include        /etc/openldap/schema/corba.schema
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/duaconf.schema
include        /etc/openldap/schema/dyngroup.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/java.schema
include        /etc/openldap/schema/misc.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/openldap.schema
include        /etc/openldap/schema/ppolicy.schema
include        /etc/openldap/schema/collective.schema
#Radius include
include        /etc/openldap/schema/radius.schema
#Samba include
#include        /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database    bdb
#dn suffix, domain components read in order
suffix        "dc=cisco,dc=com"
checkpoint    1024 15
#root container node defined
rootdn        "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw        secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory    /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index uid,memberUid                     eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
         by dn.exact="cn=Manager,dc=cisco,dc=com" read
         by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem    Tunnel-Type                                   radiusTunnelType
replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem    Cleartext-Password    userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{      default_eap_type = peap      ..... }
tls {
    #I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
    default_eap_type = mschapv2
    #you will have to set this to allowed the inner tls tunnel attributes into the final accept message
    use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{      ldap      mschap      ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter = "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{   eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr"   password="ggsg" \#If you want to verify the Server certificate the below would be needed   \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2"   }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

IAS dot1x dynamic VLAN assignment not working

I have a windows 2003 server with AD and IAS configured. IAS uses AD for authentication. I have AAA login configured and working. I have AAA dot1x configured on the 3550 switch. IAS has a Wired Ethernet policy configured for PEAM and is send back attributes tunnel-type = VLAN, tunnel-medium-type = 802, and tunnel-pvt-group-id = 210. My XP supplicant has dot1x enabled and is authenticating through the switch and IAS.
Using Ethereal I can see the both the Radius request and accept packets. I can see that radius is sending the above attributes through ethereal as well. Using the Debug Radius command I can see that the attributes are getting to the switch. When I use the show VLAN command the switch port is still in VLAN 1. I want it to be in VLAN 210.
I have upgraded the IOS in the 3550 switch. This fixed a previous problem of the switch not sending the NAS port type of Ethernet. It as sending a port type of Asynch.
I also have service pack 2 on the Windows 2003 server.
Has anyone else had this problem? If so how do I fix it.
Here is my debug code:
06:56:45: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
06:56:45: RADIUS: Tunnel-Private-Group[81] 5 "210"
06:56:45: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
Here is my switch code:
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius local
aaa session-id common
interface FastEthernet0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
radius-server host 10.1.1.254 auth-port 1645 acct-port 1646 key test
radius-server deadtime 60

You're missing this:
aaa authorization network default group radius
I assume "everything works" other than VLAN-Assignment itself.
This should get you squared away,

Mobility Anchor and AAA Overide VLAN Assignment

Hello,
I read some document 2 years ago that dynamic VLAN assignment was not possible with Anchored WLANs. Please I would like to know if this is now possible. The network setup would be as follows:
1. Foreign and Anchor WLC (5508) with single SSID for both guest and internal users
2. Cisco ISE 1.2 performing AAA override with VLAN tag based on AD group. Guest will go to VLAN for guest after web authentication.
Please a speedy response would be helpful.

Hi grabonlee,
We have been running an anchor with VLAN override for out Guest services. Works well. VLAN needs to be defined on both the anchor and foreign. We are running 7.6.120 code.

Dynamic VLAN Assignment + NPS

Hello,
I'm planning a deployment with the following:
5508 WLC running 7.0.222.0
NCS 1.0.2.29
50+ 3502i AP's
Windows 2008 R2 running NPS
EAP-TLS for authentication
The end goal is to have a single SSID and utilize NPS to dynamically assign VLAN's depending on role/group.
I've read several documents that use ACS to complete the dynamic VLAN assignment (inclduing http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml), however in this case ACS is not available.
My question basically is; do I need ACS to apply the VSA for Cisco Airespace, or can this be done solely with the following IETF attributes using Microsoft NPS and AAA override on the WLC?
[64] Tunnel-Type
[65] Tunnel-Medium-Type
[81] Tunnel-Pvt-Group-ID
Any advice would be greatly appreicated!
Thanks

Thanks Steve for your quick response.
I did everything as per your recommendation and it still doesnt work.
Do you mind providing me a remote assistance, do you have Skype?
Or your prefer that I provide you a set of logs, tell me which one and I will do so.
SSID:TT
@IP WLC: 172.20.252.70
NPS: 172.20.1.16
config rule NPS: service-Type: NAS Prompt
                         Tunnel-Type: VLAN
                         Tunnel-pvt-group-ID:10
                         Tunnel-Meduim-Type:802
log WLC:
*radiusTransportThread: Sep 19 12:32:47.841: ****Enter processIncomingMessages: response code=2
*radiusTransportThread: Sep 19 12:32:47.841: ****Enter processRadiusResponse: response code=2
*radiusTransportThread: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Access-Accept received from RADIUS server 172.20.1.16 for mobile 8c:70:5a:1c:8e:20 receiveId = 4
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Processing Access-Accept for mobile 8c:70:5a:1c:8e:20
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Applying new AAA override for station 8c:70:5a:1c:8e:20
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
source: 4, valid bits: 0x200
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: 'dy-data-ksb1', aclName: ''
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Inserting new RADIUS override into chain for station 8c:70:5a:1c:8e:20
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
source: 4, valid bits: 0x200
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: 'dy-data-ksb1', aclName: ''
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Applying override policy from source Override Summation:
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
source: 256, valid bits: 0x200
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: 'dy-data-ksb1', aclName: ''
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Station 8c:70:5a:1c:8e:20 setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Creating a PKC PMKID Cache entry for station 8c:70:5a:1c:8e:20 (RSN 2)
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Adding BSSID 00:1e:be:a7:bf:b6 to PMKID cache for station 8c:70:5a:1c:8e:20
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844:      [0000] 80 36

Dynamic VLAN assignment on SG300

Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
The RADIUS user attributes used for the VLAN ID assignment are:
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
Radius:IETF:Tunnel-Medium-Type    6
Radius:IETF:Tunnel-Private-Group-Id    4
Radius:IETF:Tunnel-Type    13
is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
Thanks,
Aaron

Hi Aleksandra,
Here are the values from a packet capture of the Access-Accept message:

Dynamic vlan assignment does not work

Hello,
I have been trying to configure dynamic vlan assignment for the employee wlan. Trying to put the employee on vlan 20
Here are the components used
WLC: 2100 Software version: 7.0.240.0
AP: 3502I IOS version: 12.4 Mini IOS version: 7.0
Radius server: tried mutiple radius servers (rsa radius , free radius)
On the WLC:
1. Created a AAA server.
2. Along with management interface(vlan 10), configured dynamic interfaces (vlan 20, vlan 30)
3. AP manager interface is on vlan 40
4. Created WLAN assigned to management interface-- WPA2 (AES) , 802.1x
5. on AAA servers tab - checked authentication servers and assigned the AAA server. authentication priority order is set to only radius
Here, I have 2 options for radius overwrite.
one on the AAA servers tab
second on the Advanced tab
I have selected both. or one at a time
Ports between WLC and switch is a trunk
On the AP:
1. Local mode
2. Port between AP and switch switchport access - vlan 40
On radius server:
configured WLC's management interface as client
and assigned the following attributes
tunnel-type := vlan
tunnel-medium-type = ieee-802
tunnel-private-group-id = 20
When i try to authenticate with an iphone it is successful. But it puts me on the same interface as management interface (vlan10). When i do the packet capture i do see the access-accept but i dont see the attributes.
when i use a radius test utility against the radius server I do receive all the attributes.
Im a newbie on this. Iam i missing something here? any help will be much appreciated.

Kindly check the following link for reference.
sample configuration link
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
Trouble shooting link
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

Dynamic VLAN assignment with WLC and ACS for

Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
dot11 vlan-name STUDENT vlan 2903
dot11 vlan-name FACSTAF vlan 2905
As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

WLC- dynamic Vlan assignment with Radius

Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
Could you please help me?

There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

Flexconnect dynamic VLAN assignment doubt

Hi, all,
I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office, seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
Thanks,

Hi ,
1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
Regards
Dhiresh
**Please rate helpful posts**

Dynamic vlan assignment with 1242AG and IAS not working

I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. Any suggestions?
IAS and AD is running on Windows Server 2003
Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately, ie:
Tunnel-Medium-Type > 802
Tunnel-Pvt-Group-ID > vlanid
Tunnel-Type > VLAN
On the AP:
Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
I see I don't have that line "aaa authorization network default group rad_eap",
So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
Thanks,
Jason

ISE - WLC 7.2 VLAN assignment

Good evening,
The Wireless_Employees authorization profile,assign vlan 666 for wireless employees.
ISE is passing VLAN 666 to the WLC - see attachement Radius Auth-VLAN666.jpg
When I look on the WLC at a wireless employee who has successuflly connected to the network, WLC is still placing him in the pre-configured VLAN 7.
1. can VLAN be pushed from ISE to the WLC (code 7.2.103) for specific user session?
2. if so, any suggestions why it's not working for me.
Thank you.
Cath.

Cath,
Here is a guide that will help with dynamic vlan assignment on a WLC -
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#WLC
Thanks,
Tarik Admani
*Please rate helpful posts*

VLAN assignment from ACS not applied

WLC 4402 5.2.157.0
ACS Express 5.0.0.18
We have an issue where the VLAN assigned on the ACS isn't applied on the 4402 WLC.
We have 'Allow AAA Override' checked on the WLAN, the QoS is overridden to bronze properly, but the VLAN stays at 0 and the interface at management. The VLAN interface is configured on the WLC.
On the ACS the following are configured for the RADIUS response:
Radius-IETF Tunnel-Medium-Type 802
Radius-IETF Tunnel-Type VLAN
Radius-IETF Tunnel-Private-Group-ID 44
Cisco Airespace Airespace-QoS-Level Bronze
The accounting log shows:
Wed, 04 Feb 2009 09:50:02
User-Name = guest
NAS-IP-Address = 10.30.1.2
NAS-Port = 1
Framed-IP-Address = 10.30.1.12
Called-Station-Id = 10.30.1.2
Calling-Station-Id = 10.30.1.12
NAS-Identifier = Cisco4402WLC
Acct-Status-Type = Start
Acct-Session-Id = 4989b927/00:1a:73:ed:bf:ca/2
Acct-Authentic = RADIUS
Airespace-WLAN-Id = 2
Thanks for any help or advice you can provide to troubleshoot this issue.
-Brian

From the Clients -> Details screen on the WLC...
CLIENT PROPERTIES
MAC Address 00:1a:73:ed:bf:ca
IP Address 10.30.1.12
Client Type Regular
User Name guest
Port Number 1
Interface management
VLAN ID 0
CCX Version CCXv4
E2E Version Not Supported
Mobility Role Local
Mobility Peer IP Address N/A
Policy Manager State RUN
Mirror Mode Disable
Management Frame Protection No
SECURITY INFORMATION
Security Policy Completed Yes
Policy Type N/A
Encryption Cipher None
EAP Type N/A
NAC State Access
QUALITY OF SERVICE PROPERTIES
WMM State Enabled
U-APSD Support Disabled
QoS Level Bronze
Diff Serv Code Point (DSCP) disabled
802.1p Tag disabled
Average Data Rate disabled
Average Real-Time Rate disabled
Burst Data Rate disabled
Burst Real-Time Rate disabled

Cat 3750 Switch: Dynamic vlan assignment

Hey guys,
I am trying to configure 802.1x on the switch and authenticate users against a Radius server. My radius server is FreeRadius running on Redhat. The authentication works fine but the switch just doesn't take the VLAN assigned by the server. I captured the packets between the server 172.17.1.1 and the switch 172.17.254.100. The cap file is attached here. Can anybody please verify that all the attributes are there and are all correct?
The client laptop is running Windows XP and it's using EAP-MD5. The laptop in on port F1/0/1. Here is the configuration on the switch:
aaa new-model
aaa authentication dot1x default group radius none
aaa authorization network default group radius none
interface FastEthernet1/0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x reauthentication
dot1x guest-vlan 17
dot1x auth-fail vlan 18
spanning-tree portfast
radius-server host 172.17.1.1 auth-port 1812 acct-port 1813 key xxxxxx
I also tried to debug dot1x errors and there is no output so I guess there is no errors... Any advise is appreciated! Thank you!

Hey Kush, thanks for reply! I did those debugs and I will upload them here. In the debug radius the output is saying that unknow cisco AVP type. I think the switch just doesn't like the Freeradius's attributes. I think what I will do is that I will setup ACS server (with the evaluation software) and configure it to dynamically assign vlan and use the wireshark to watch the attributes sent by the server and adjust my Freeradius setting accordingly and see if that helps...

HREAP and Dynamic VLAN assignment (MS NPS)

Hi All
Just a quick rundown of what I am trying to achieve.
We have a Cisco 5508 WLC (running AIR-CT5500-K9-7-0-116-0.aes). At the moment the WLC is controlling only 1 AP (Cisco 1142N LWAP). I want this AP to be placed at a remote site, and users that authenticate via the RADIUS (MS Windows 2008 NPS) server must be assigned their respective VLANs based on the Active Directory groups they belong to (staff, student, or guest).
The AP and dynamic VLAN assignment works 100% if the AP is in local mode. Authentication works, and dynamic VLAN assignment works. As soon as you change the AP to HREAP mode, dynamic VLAN assignment stops working, and the client gets assigned an IP of whatever VLAN is assigned to the SSID under the HREAP tab. Allow AAA Override is enabled on the main SSID that I am broadcasting.
I have read in some of the discussions that HREAP does not support dynamic VLAN assignment, but I haven't seen why this is not supported. Is this true with the latest version of WLC software as well? I cannot see why local traffic destined for a local resource must be sent via a WAN link to the controller, and then back over the WAN link again. This seems very inefficient.
Is there anybody that can confirm if this is in fact an HREAP limitation, and why (if so) it is a limitation, please? Any info would be much appreciated.
Regards
Connie

Do you perhaps know if there are plans for this limitation being addressed in the near future?
We are looking to deploy wireless from end-to-end in all 6 of our sites, and you biggest competitor was penalized because they do not support this feature. It seems we're going to have to apply the same penalty in this respect to Cisco as well.
Thanks for the feedback, though!
Regards
Connie

Vlan Assignment

Similar Messages

Maybe you are looking for