cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9679
Views
0
Helpful
20
Replies

Dynamic VLAN/SSID assignment using 4402/MS IAS

j-shearer
Level 1
Level 1

Greetings,

In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).

This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)

We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.

Any input/information would be greatly appreciated.

Joe

1 Accepted Solution

Accepted Solutions

The setup works fine with MS IAS server. You have to set the RADIUS options (3 of them) that are documented in the similar ACS article of the same ilk. You can have a single SSID, using RADIUS auth, and have Active Directory determine vlan membership based on group.

The RADIUS attribute settings are

Tunnel-Type = Vlan

Tunnel-Pvt-Group-ID = vlanid

Tunnel-Medium-Type = 802

I also like to set

Ignore-User-Dialin-Properties = True

You need to create some Policies in IAS to match your windows groups, and set the correct vlan id. A seperate IAS policy per vlan.

Set the RADIUS attributes per IAS policy and per AD group or however you plan on determining membership.

If you want to use RADIUS for administration, you also have to define a seperate policy that sets RADIUS attribute Service-Type = Administrative

Jim

View solution in original post

20 Replies 20

Thx for the article. I will be configuring in about two weeks so this will definitely come in handy.

One question, the article states that the configuration is a "single SSID" and that settings are applied based on user credentials (which is what I am looking for). I am guessing that I could take this one step further and use two (or more) SSIDs but I am assuming that each individual SSID would have to be already configured on the clients. When the user logs in then the policy would determine which local SSID the client would connect to.

Am I correct in thinking this way? Obviously I am going to have to do some testing, but I am looking for any "gotchas" or "pitfalls".

Thx again

Joe

The setup works fine with MS IAS server. You have to set the RADIUS options (3 of them) that are documented in the similar ACS article of the same ilk. You can have a single SSID, using RADIUS auth, and have Active Directory determine vlan membership based on group.

The RADIUS attribute settings are

Tunnel-Type = Vlan

Tunnel-Pvt-Group-ID = vlanid

Tunnel-Medium-Type = 802

I also like to set

Ignore-User-Dialin-Properties = True

You need to create some Policies in IAS to match your windows groups, and set the correct vlan id. A seperate IAS policy per vlan.

Set the RADIUS attributes per IAS policy and per AD group or however you plan on determining membership.

If you want to use RADIUS for administration, you also have to define a seperate policy that sets RADIUS attribute Service-Type = Administrative

Jim

After messing around with it last week I was able to get it working. Everything you listed in your post is exactly what I ended up doing to get things working. Too bad I didn't have this two weeks ago ;)

Thx Jim for post though.

Joe

I'm wanting to build the same scenario, however I'm having issues with the users being connected to the right vlan, they are only able to access the vlan that the WLAN is setup on in the WLC configuration. I have AAA override on, and they are able to authenticate, just not switching to the associated VLAN under the IAS policy. Could you post some of your configuration for comparison?

Thanks

Shaun

Shaun -

From the WLC perspective here is what I had to do:

1. Check the "Allow AAA Override" for each WLAN Profile using Dynamic-VLANs.

2. For each WLAN Profile using Dynamic VLAN assignment I had to set the interface to the management interface of the WLC. The management interface's IP is what is in MS IAS server as the RADUS client.

3. Make sure that the none of the other interfaces on the WLC are in the same VLAN as the MS IAS server. If they are, the WLC will attempt to use this interface to contact the MS IAS server rather than the management interface and the IAS server will reject the request.

Hope this information helps. If you want, I could gather some screenshots of how I configured the WLC/IAS server.

Let me know.

Joe

Joe - thanks for the response.

I've made the suggested modifications, I did have the WLC service port on the same VLAN as IAS, I've switched those to different VLANs(I noticed that issue when I original put the Management IP for the IAS client - as they were not talking).

I've switched all the WLANs to the Management Interface, the users still authenticate fine without issues, however they're not being switched to the correct VLAN. The clients are still showing IPs from the Management Interface.

Here are the options I have configured in IAS - maybe I'm missing something.

Ignore-User-Dialin-Properties = Ture

Service-Type = Login

Tunnel-Medium-Type = 802 (inlcude all 802 media plus Ethernet canonical format)

Tunnel-Pvt-Group-ID= 200

Tunnel-Type - virtual LANs (VLAN)

And from the WLC Interface configuration:

VLAN Identifier = 200

IP Address = 10.100.200.250

Netmask = 255.255.255.0

Gateway = 10.100.200.1

Layer 2:

Layer 2 Security: WPA+WPA2

WPA2 Policy = True

WPA2 Encryption = AES TKIP

PSK

ASCII

Layer 3:

Layer 3 Security: none

Web Policy = True

Authentication = True

Advanced:

Allow AAA Override Enabled

Thoughts?

Thanks

Shaun

Shaun -

Under the security settings for the particular WLAN profile, do you have the AAA server specified? If you have configured it in the WLC already it should show up in the drop-down list.

Joe

Joe - Yes, it has our IAS server listed and it's listed at the top for Authentication priority.

-Shaun

Shaun -

I have attached a screenshot of the section of my RA Policy for Dynamic VLAN assignment. From what I gather mine is a bit different from yours since I am using WPA2-Enterprise (MS-PEAP). My RA policy has two conditions:

1. the RADIUS client must originate from the WLC's MGMT IP address

2. The wireless laptop/user must each be a member of two specific Windows security groups (one containnig the computer account and one containing the user account)

My authentication is MS-CHAPv2 using PEAP and server certificate so that the server can authenticate the user/computer.

I can attach additional pics to show the rest of the RA policy.

Let me know if this helps.

Joe

Your RA Policy has identical values, just like mine, I did the AAA debugging on the WLC and it shows AAA settings to be "override". However the changes are not happening. I'm running Software Version 5.2.178.0 on the WLC. Maybe it has to do with the version??

Shaun -

It could be. I am running version 4.2.176 on my WLC. We have not made the "leap" to version 5.x yet as I have heard there have been multiple "issues" with version 5.x. In fact, a TAC representative told me to stay at 4.2.x unless there was a specific feature/functionality that only version 5.x could provide. At face value, the configuration settings you posted prior looked fine.

Let me know if you need any additional info.

Joe

I have tested this IAS setup on build

AS_5.0.148.0_CSCsm98250.aes

And have no problems with the IAS/Radius dynamic vlan assignment using AD groups.

Hope this helps.

Jim

Jim - thanks for the information, could I see how you have your switch ports setup for the WLC and APs? Maybe I'm missing something on mine.

Thanks,

Shaun

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: