Using a RADIUS Server to Assign Users to VLANs

Unanswered Question
Nov 26th, 2008
User Badges:
  • Bronze, 100 points or more

Is this possible on autonomous access points? http://www.cisco.com/en/US/docs/routers/access/1800/wireless/configuration/guide/s37vlan.html#wp1038739


I try to set this up but it does not work. I have 2 SSIDs, "Test1" defined on VLAN 10 and "Test2" on VLAN 99. Everything works fine if the RADIUS server does not send the VLAN attributes or if it sends the matching VLAN attributes. However, if I try to connect to "Test1" and the RADIUS server wants to assign the user to VLAN 99 instead, I see "one-way traffic". First the computer successfully authenticates and associates with the access point. If I check with "show dot11 associations all-client" I can see the client is associated and assigned to VLAN99. However, now the computer will request an IP address with DHCP. The DHCP server receives it as usual and will respond with a DHCP OFFER. However, the DHCP OFFER never makes it to the wireless client. If the client connects to "Test2" instead it will work immediately. All other examples for dynamic VLAN assignments I have found so far use LWAPPs und a controller. Is this possible with autonomous APs?


Abridged config:


dot11 vlan-name Test vlan 10

dot11 vlan-name Test2 vlan 99

!

dot11 ssid Test

vlan 10

authentication open eap eap

authentication network-eap eap

authentication key-management wpa

guest-mode

mbssid guest-mode

!

dot11 ssid Test2

vlan 99

authentication open eap eap

authentication network-eap eap

authentication key-management wpa

mbssid guest-mode

!

interface Dot11Radio0

no ip address

!

encryption vlan 99 mode ciphers aes-ccm tkip

!

encryption vlan 10 mode ciphers aes-ccm tkip

!

ssid Test

!

ssid Test2

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no cdp enable

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 spanning-disabled

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

!

interface Dot11Radio0.99

encapsulation dot1Q 99

no cdp enable

bridge-group 99

bridge-group 99 subscriber-loop-control

bridge-group 99 spanning-disabled

bridge-group 99 block-unknown-source

no bridge-group 99 source-learning

no bridge-group 99 unicast-flooding

!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gerald Vogt Tue, 12/02/2008 - 14:05
User Badges:
  • Bronze, 100 points or more

Thanks for the link. But the section only links to another page which contains exactly the same description which I have posted before. I know all that. I can't see anything there which I should do different.


Do you use it yourself? Do you have autonomous APs using RADIUS based VLAN assignments?



tpereirahpts Sun, 02/08/2009 - 15:07
User Badges:

Hi,


I have an autonumous access point AIR-AP1252AG-E-K9 with firmware version 12410JA. I have only one SSID and multiple VLANs that can be assigned by the attributes delivered by a RADIUS server.


The users authenticate OK and I see the DHCP discover arrive to the DHCP server but the DHCP offer doesn't arrive to the wireless client.


How you solve the DHCP problem?

Gerald Vogt Sun, 02/08/2009 - 16:33
User Badges:
  • Bronze, 100 points or more

Are you sure you don't have multiple BSSID enabled?

tpereirahpts Sun, 02/15/2009 - 03:34
User Badges:

Yes I don't have multiple BSSID enabled.


Apparently the problem was solved with a AP reboot.



Thanks.


fernandoaguirre Tue, 03/10/2009 - 15:46
User Badges:

Can you please send me the configuration of the AP for only one SSID and multiple VLANs that can be assigned by the attributes delivered by a RADIUS server?

I have the ACS Server dynamically assigning the vlans but I get an authentication error on the AP.

Gerald Vogt Tue, 03/10/2009 - 16:44
User Badges:
  • Bronze, 100 points or more

What error do you get exactly on the AP?


Generally, I only got authentication errors on the AP if the authentication was in fact incorrect. Does the log of the ACS server show that the users is successfully authenticated?


The configuration which I have posted initially does work if you don't have MBSSID enabled (i.e. use "no dot11 mbssid" to make sure).

fernandoaguirre Tue, 03/10/2009 - 17:44
User Badges:

Thanks Gerald... I have the config working now. It was a problem with the dhcp for that vlan and not the ap config.


Regards.

r.spiandorello Tue, 03/17/2009 - 07:26
User Badges:

Hi, in case of difference between the pc ssid and ACS assigned ssid, where can I find the mismatch log ? AP syslog ?

thank you in advance

fernandoaguirre Tue, 03/17/2009 - 13:19
User Badges:

Hi,

I understand that the ACS assigns the vlan id or name, but not the ssid.

The SSID is between the PC and the AP.

Gerald Vogt Tue, 03/17/2009 - 14:47
User Badges:
  • Bronze, 100 points or more

Which mismatch? If the SSID on the PC is different from the SSID on the AP the PC won't connect. There is no log for that. The PC just won't find any wireless network to connect to.

Actions

This Discussion

 

 

Trending Topics - Security & Network