Way to Ignore Dynamic VLAN using WPA2 on IOS AP and ACS?

Answered Question
Oct 23rd, 2007
User Badges:

Hello,


I am trying to setup an IOS AP using 12.3(8)JEB1 to use WPA2 using ACS 4.0(1)Build 44. I am trying to use PEAP with MSCHAPv2.


The problem I am having is that the only way I can get the client to associate, is if I configure the the AP's SSID to be the same VLAN that is stated in the "[081] Tunnel-Private-Group-ID" field of the group that the dynamic user is in.


When I configure the SSID to the VLAN it should be, the client never authenticates, even though the ACS server shows it as a "Passed Authentication".


When I do a "debug radius authentication", I get this message "%DOT11-4-NO_VLAN_ID: Vlan id 1100 from Radius server is not configured for station xxxx.xxxx.xxxx" (MAC address removed).


Is there a way to configure the AP to ignore the "[081] Tunnel-Private-Group-ID" field?

Correct Answer by matt.woodling about 9 years 5 months ago

Here's what you need. I just figured this out tonight:


aaa group server radius your-AAA-group-name

server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

server your-radius-server#2-IPaddress auth-port 1645 acct-port 1646

authorization reply reject wireless-attreject-list

!

radius-server attribute list wireless-attreject-list

attribute 81

!

aaa authentication login eap_methods group your-AAA-group-name


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
matt.woodling Sun, 10/28/2007 - 00:47
User Badges:

Here's what you need. I just figured this out tonight:


aaa group server radius your-AAA-group-name

server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

server your-radius-server#2-IPaddress auth-port 1645 acct-port 1646

authorization reply reject wireless-attreject-list

!

radius-server attribute list wireless-attreject-list

attribute 81

!

aaa authentication login eap_methods group your-AAA-group-name


Actions

This Discussion

 

 

Trending Topics - Security & Network