Authentication help putting user on different network after authentication

Unanswered Question
Jan 23rd, 2009


Two of our wlans are web authentication types. A lot of the time people are connected to one of them but not authenticated. For example we'll have a 1000 users connected but only 200 are actually authenticated and doing something on the network, the rest are just connected. This has increased a lot since more and more people are getting hand held wireless devices like an ipod. These users use up a lot of our "real" ip address. Is there a way to set up the wlans to hand off some sort of 10.x.x.x upon connecting, and then after they authenticate to give the users a real ip address. Basically they connect to one network and after authentication are put on a different one. This way the users will stay connected but it will free up a lot of ip addresses. I'm not sure if anyone else experiences this, if so, what have you done to possibly remedy this? Or any suggestions would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Stephen Rodriguez Fri, 01/23/2009 - 11:16

This can be done from the AAA server. You would use the standard attributs of 64/65/81, just like dynamic VLAN assignment in aIOS AP. The only difference, is for the WLC, when you configure 81, you need to use the dynamic interface name on the WLC, and not the VLAN identifier.



brock0150 Fri, 01/23/2009 - 13:24

The standard attributes are per user, every user we have has their own username/password. There is about 40000+ users. Also, depending on which network they connect to, they should be getting an ip from that network they connect to, not the network we tell them to connect to. Basically the user has the ability to connect to either network. This is the document that I have been working off of

Is there a way that if a user came in on a specific network that they would be put on another network once authenticated??

Sorry if my reply seems a little confusing, it's hard to describe what you have and what you want.

Stephen Rodriguez Fri, 01/23/2009 - 13:28

" s there a way that if a user came in on a specific network that they would be put on another network once authenticated?? "

With a WLC, you do not get an address on the network until you have authenticated, in the case of 802.1x authentication at least. If you have ACS, you can build the attributes per group, and place the users in the respective groups.

So you can have a general SSID "Secure", and then have dynamic interfaces for the VLANs. Then you use the attribute to push them to the correct interface, where they get DHCP.



brock0150 Fri, 01/23/2009 - 13:42

Thats true, but I'm using web authentication which you connect and get an ip address then authenticate through web browser. I have a wlan which uses 802.1x authentication and I'm not really worried about it since the users are authenticated. I'm more worried about the web auth wlan's because a lot of users devices are set to connect automatically even if the user doesn't log on to the network.


Stephen Rodriguez Fri, 01/23/2009 - 13:43

ok, that makes better sense then. But on that note, why are you giving them external IP addresses? Give them internal addresses and NAT to the internet?

brock0150 Fri, 01/23/2009 - 13:57

I would, but we're a university and we seem to have a lot of infringement issues where we have to be able to tie ip address and usernames together so we can track down the users. Then that user info gets sent on to a group that handles the infringements and then takes care of the people who submitted the request. We've talked about blocking peer to peer through acl so we really wouldn't have to worry about wireless infrigements but were not really allowed to. Some sort of legal issue about blocking peer to peer. Or else we would probably NAT to the internet. Infringements are the main reason I'm trying to figure out a way to put connected users on internal addresses and authenticated users on external addresses. Then if a person with an internal address authenticated they would be given an external. just a side not, the web auth times out every 2 hours and the users have to re authenticate.

By the way, thanks for the fast responses.


Stephen Rodriguez Fri, 01/23/2009 - 14:08

The dyanmic VLAN assignment "should" still work. I know the WLC can get a bit picky about clients in the MSCB already changing IP addresses. Best bet, turn up a test WLAN and test it out to make sure it works.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode