Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
3
Replies

aaa override on a 4402

fcollett
Level 1
Level 1

‎04-08-2008 09:36 AM - edited ‎07-03-2021 03:40 PM

4402 controller with 4.0.602 code, MS XP Client, 802.1x authentication, device and user authentication:

The controller is configured with (2) SSIDs: Secure, Public.

There are (3) VLANs I want to place the devices in after user authentication (obviously machine authentication occurs prior to this). The (3) VLANs are Staff, Student and Faculty; numbered 10, 20 and 30.

Here is what happens.

The machine associates with the secure ssid, authenticates and is placed in the student vlan (20) - this is the VLAN I have assigned to the SSID by default.

I have aaa-override enabled.

A staff or faculty member logs on and is authenticated. The controller receives the new VLAN assignment from the radius server. I can see this if I go to client details and it shows the IP address and VLAN assignment.

Here is the kicker - the IP address is still the original IP address it was assigned from the original machine authentication when it was placed in the student VLAN, not what it should be in the staff or faculty vlan.

So I do a ipconfig /release and /renew at the client and I still get the same IP address not one from the staff or faculty VLAN.

It appears as if the VLAN was sent to the controller but never really applied.

I am using the DHCP Server within the 4402 controller.

Any thoughts or leads would be helpful.

Thanks

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎04-10-2008 10:47 AM

If you are centraly switching (AP not in HREAP) when the client connects on the first time, they will get an IP from that DCHP in the assigned SSID. When you send the VLAN tag from the RADIUS/ACS server, then the AP will tag the client traffic with the particular 802 tag. The controller will "proxy" the traffic into the vlan you have sent, this is transparent to the client, the controller takes care of everything. - in theory, only seen this on a course....never been able to test!

HTH

0 Helpful

fcollett
Level 1
Level 1
In response to andrew.prince

‎04-11-2008 09:21 AM

I will do further testing next week and get back to you.

Thanks

0 Helpful

k.abillama
Level 1
Level 1
In response to fcollett

‎12-12-2008 11:57 PM

Hi guys, I have the same problem, has this been resolved?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card