WLC and AAA - one SSID and more VLANs

Answered Question
Jun 13th, 2007

hi,

i have an ACS 4.1, AP1242, WLC4404 and Catalyst 3750, and an Win2003 DHCP Server

Switch Interface Config:

interface Vlan10

ip address 10.70.170.1 255.255.255.0

ip helper-address 192.168.12.10

interface Vlan20

ip address 10.70.171.1 255.255.255.0

ip helper-address 192.168.12.10

at the WLC i have configured one SSID with

- Allow AAA Override

- Layer2 Sec: [WPA1,TKIP+WPA2,AES]

- ACS 4.1 AAA

- Key Management: 802.1x

one SSID mapped to the management interface. and 2 VLANS with different interfaces:

VLAN-ID1: 10

Interface-1:

IP Address 10.70.170.2

Netmask 255.255.255.0

Gateway 10.70.170.1

DHCP: 192.168.12.10

VLAN-ID2: 20

Interface-2:

IP Address 10.70.171.2

Netmask 255.255.255.0

Gateway 10.70.171.1

DHCP: 192.168.12.10

at the acs i have 2 users and two groups. Group1-User1 and Group2-User2 with the aaa attributes to change the vlan on login.

[006] Service-Type: Authenticate only

[064] Tunnel-Type: VLAN

[065] Tunnel-Medium-Type: 802

[081] Tunnel-Private-Group-ID: <VLAN-ID-1> or <VLAN-ID-2>

my problem is, that the user will authenticate successfully, and also the Vlan and Interface assignment is correct,

but the ip-address that the user will get is always the IP-Range from Interface2 (VLAN20). So when the USER2 authenticates, he get the VLAN2,

and the right interface and the right IP Adress and the communication is right.

but the USER1 gets the interface1 and VLAN10, but the IP from Interface2 (VLAN20).

what can it be?

thx

I have this problem too.
0 votes
Correct Answer by fmeetz about 9 years 7 months ago

Check for the DHCP configuration on Winodws 2003 server and make sure address from both the Ranges are configured.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Correct Answer
fmeetz Wed, 06/20/2007 - 08:25

Check for the DHCP configuration on Winodws 2003 server and make sure address from both the Ranges are configured.

elkono200 Wed, 06/20/2007 - 23:26

after a long time of tests, i found the problem. it was the DHCP Server, i installed a new one, and now its all ok...

thx

Richard Atkin Wed, 06/27/2007 - 11:43

FYI - If you're using ACS v4.1, you can also achieve this using the Airespace Attributes, by specifying the WLC interface name in the appropriate section.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode