I am trying to setup an IOS AP using 12.3(8)JEB1 to use WPA2 using ACS 4.0(1)Build 44. I am trying to use PEAP with MSCHAPv2.
The problem I am having is that the only way I can get the client to associate, is if I configure the the AP's SSID to be the same VLAN that is stated in the " Tunnel-Private-Group-ID" field of the group that the dynamic user is in.
When I configure the SSID to the VLAN it should be, the client never authenticates, even though the ACS server shows it as a "Passed Authentication".
When I do a "debug radius authentication", I get this message "%DOT11-4-NO_VLAN_ID: Vlan id 1100 from Radius server is not configured for station xxxx.xxxx.xxxx" (MAC address removed).
Is there a way to configure the AP to ignore the " Tunnel-Private-Group-ID" field?
Here's what you need. I just figured this out tonight:
aaa group server radius your-AAA-group-name
server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646
server your-radius-server#2-IPaddress auth-port 1645 acct-port 1646
authorization reply reject wireless-attreject-list
radius-server attribute list wireless-attreject-list
aaa authentication login eap_methods group your-AAA-group-name