Dynamic VLAN/SSID assignment using 4402/MS IAS

Answered Question
Apr 18th, 2008
User Badges:

Greetings,


In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).


This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)


We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.


Any input/information would be greatly appreciated.


Joe

Correct Answer by jim.robinson about 9 years 2 months ago

The setup works fine with MS IAS server. You have to set the RADIUS options (3 of them) that are documented in the similar ACS article of the same ilk. You can have a single SSID, using RADIUS auth, and have Active Directory determine vlan membership based on group.


The RADIUS attribute settings are

Tunnel-Type = Vlan

Tunnel-Pvt-Group-ID = vlanid

Tunnel-Medium-Type = 802


I also like to set

Ignore-User-Dialin-Properties = True


You need to create some Policies in IAS to match your windows groups, and set the correct vlan id. A seperate IAS policy per vlan.


Set the RADIUS attributes per IAS policy and per AD group or however you plan on determining membership.



If you want to use RADIUS for administration, you also have to define a seperate policy that sets RADIUS attribute Service-Type = Administrative


Jim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
j-shearer Mon, 04/21/2008 - 05:44
User Badges:

Thx for the article. I will be configuring in about two weeks so this will definitely come in handy.


One question, the article states that the configuration is a "single SSID" and that settings are applied based on user credentials (which is what I am looking for). I am guessing that I could take this one step further and use two (or more) SSIDs but I am assuming that each individual SSID would have to be already configured on the clients. When the user logs in then the policy would determine which local SSID the client would connect to.


Am I correct in thinking this way? Obviously I am going to have to do some testing, but I am looking for any "gotchas" or "pitfalls".


Thx again

Joe

Correct Answer
jim.robinson Tue, 05/20/2008 - 12:46
User Badges:

The setup works fine with MS IAS server. You have to set the RADIUS options (3 of them) that are documented in the similar ACS article of the same ilk. You can have a single SSID, using RADIUS auth, and have Active Directory determine vlan membership based on group.


The RADIUS attribute settings are

Tunnel-Type = Vlan

Tunnel-Pvt-Group-ID = vlanid

Tunnel-Medium-Type = 802


I also like to set

Ignore-User-Dialin-Properties = True


You need to create some Policies in IAS to match your windows groups, and set the correct vlan id. A seperate IAS policy per vlan.


Set the RADIUS attributes per IAS policy and per AD group or however you plan on determining membership.



If you want to use RADIUS for administration, you also have to define a seperate policy that sets RADIUS attribute Service-Type = Administrative


Jim

j-shearer Wed, 05/21/2008 - 04:41
User Badges:

After messing around with it last week I was able to get it working. Everything you listed in your post is exactly what I ended up doing to get things working. Too bad I didn't have this two weeks ago ;)


Thx Jim for post though.


Joe

Shaun Bender Tue, 03/31/2009 - 11:08
User Badges:

I'm wanting to build the same scenario, however I'm having issues with the users being connected to the right vlan, they are only able to access the vlan that the WLAN is setup on in the WLC configuration. I have AAA override on, and they are able to authenticate, just not switching to the associated VLAN under the IAS policy. Could you post some of your configuration for comparison?


Thanks

Shaun



j-shearer Tue, 03/31/2009 - 11:30
User Badges:

Shaun -


From the WLC perspective here is what I had to do:

1. Check the "Allow AAA Override" for each WLAN Profile using Dynamic-VLANs.

2. For each WLAN Profile using Dynamic VLAN assignment I had to set the interface to the management interface of the WLC. The management interface's IP is what is in MS IAS server as the RADUS client.

3. Make sure that the none of the other interfaces on the WLC are in the same VLAN as the MS IAS server. If they are, the WLC will attempt to use this interface to contact the MS IAS server rather than the management interface and the IAS server will reject the request.


Hope this information helps. If you want, I could gather some screenshots of how I configured the WLC/IAS server.


Let me know.


Joe

Shaun Bender Tue, 03/31/2009 - 12:12
User Badges:

Joe - thanks for the response.


I've made the suggested modifications, I did have the WLC service port on the same VLAN as IAS, I've switched those to different VLANs(I noticed that issue when I original put the Management IP for the IAS client - as they were not talking).


I've switched all the WLANs to the Management Interface, the users still authenticate fine without issues, however they're not being switched to the correct VLAN. The clients are still showing IPs from the Management Interface.


Here are the options I have configured in IAS - maybe I'm missing something.


Ignore-User-Dialin-Properties = Ture

Service-Type = Login

Tunnel-Medium-Type = 802 (inlcude all 802 media plus Ethernet canonical format)

Tunnel-Pvt-Group-ID= 200

Tunnel-Type - virtual LANs (VLAN)


And from the WLC Interface configuration:


VLAN Identifier = 200

IP Address = 10.100.200.250

Netmask = 255.255.255.0

Gateway = 10.100.200.1


Layer 2:

Layer 2 Security: WPA+WPA2

WPA2 Policy = True

WPA2 Encryption = AES TKIP

PSK

ASCII


Layer 3:

Layer 3 Security: none

Web Policy = True

Authentication = True


Advanced:

Allow AAA Override Enabled



Thoughts?


Thanks

Shaun






j-shearer Wed, 04/01/2009 - 04:12
User Badges:

Shaun -


Under the security settings for the particular WLAN profile, do you have the AAA server specified? If you have configured it in the WLC already it should show up in the drop-down list.


Joe

Shaun Bender Wed, 04/01/2009 - 09:03
User Badges:

Joe - Yes, it has our IAS server listed and it's listed at the top for Authentication priority.


-Shaun



j-shearer Tue, 04/07/2009 - 08:31
User Badges:

Shaun -


I have attached a screenshot of the section of my RA Policy for Dynamic VLAN assignment. From what I gather mine is a bit different from yours since I am using WPA2-Enterprise (MS-PEAP). My RA policy has two conditions:


1. the RADIUS client must originate from the WLC's MGMT IP address

2. The wireless laptop/user must each be a member of two specific Windows security groups (one containnig the computer account and one containing the user account)


My authentication is MS-CHAPv2 using PEAP and server certificate so that the server can authenticate the user/computer.


I can attach additional pics to show the rest of the RA policy.


Let me know if this helps.


Joe



Attachment: 
Shaun Bender Tue, 04/07/2009 - 08:46
User Badges:

Your RA Policy has identical values, just like mine, I did the AAA debugging on the WLC and it shows AAA settings to be "override". However the changes are not happening. I'm running Software Version 5.2.178.0 on the WLC. Maybe it has to do with the version??

j-shearer Tue, 04/07/2009 - 08:57
User Badges:

Shaun -


It could be. I am running version 4.2.176 on my WLC. We have not made the "leap" to version 5.x yet as I have heard there have been multiple "issues" with version 5.x. In fact, a TAC representative told me to stay at 4.2.x unless there was a specific feature/functionality that only version 5.x could provide. At face value, the configuration settings you posted prior looked fine.


Let me know if you need any additional info.


Joe

jim.robinson Wed, 04/08/2009 - 07:50
User Badges:

I have tested this IAS setup on build

AS_5.0.148.0_CSCsm98250.aes


And have no problems with the IAS/Radius dynamic vlan assignment using AD groups.


Hope this helps.

Jim

Shaun Bender Wed, 04/08/2009 - 07:54
User Badges:

Jim - thanks for the information, could I see how you have your switch ports setup for the WLC and APs? Maybe I'm missing something on mine.


Thanks,

Shaun



jim.robinson Wed, 04/08/2009 - 09:56
User Badges:

Shaun,


My LAG - etherchannel interface


interface Port-channel8

description WLC-portchannel

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3,24-26

switchport mode trunk

end

---------------


My 2 WLC Fiber ports:


Current configuration : 382 bytes

!

interface GigabitEthernet7/47

description CiscoWLC-LAG-Ports

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3,24-26

switchport mode trunk

service-policy output autoqos-voip-policy

qos trust cos

auto qos voip trust

tx-queue 3

bandwidth percent 33

priority high

shape percent 33

spanning-tree bpdufilter enable

channel-group 8 mode on

end


2200-3A#sh run int g7/48

Building configuration...


Current configuration : 382 bytes

!

interface GigabitEthernet7/48

description CiscoWLC-LAG-Ports

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3,24-26

switchport mode trunk

service-policy output autoqos-voip-policy

qos trust cos

auto qos voip trust

tx-queue 3

bandwidth percent 33

priority high

shape percent 33

spanning-tree bpdufilter enable

channel-group 8 mode on

end


----------------------------------


I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.

------------------


One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.

--------------------------------

!

interface FastEthernet4/48

description AP-PoE

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-1004

switchport mode trunk

service-policy output autoqos-voip-policy

qos trust cos

auto qos voip trust

tx-queue 3

bandwidth percent 33

priority high

shape percent 33

end


Jim

Shaun Bender Mon, 04/20/2009 - 09:09
User Badges:

Hi Jim,


I have switched back to software version 4.2.176.0 on the WLC. Still the same issues, would it be possible to see a switch config for the APs and WLC?


Thanks

Shaun

Shaun Bender Tue, 04/21/2009 - 18:52
User Badges:

Jim - thanks for posting the config, I missed your previous post and didn't see it.


-Shaun

bhoops Tue, 04/28/2009 - 05:16
User Badges:

Shaun,


I don't know if you have resolved your issue, or if this response is even specific to your configuration, but it should be noted that you can use dynamic VLAN assignment for 802.1x authentication, but not for web authentication as the IP address has already been assigned prior to authentication.


-Brian

Actions

This Discussion

 

 

Trending Topics - Security & Network