FlexConnect local/central switched and Access-Accept Packets
For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles: • Full network access, local switched. • Limited network access, central switched: ◦ To isolate traffic from the branch’s LAN. ◦ To force traffic through a firewall at the central site. ▪ To ease access rules management. ◦ Internet access only by default. ▪ Internet access is located at the central site. ▪ We expect to manage some exceptions to the rule.
We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
Authentication Attributes Honored in Access-Accept Packets (Airespace)
This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
We then made an assumption that the following was possible: • Create a second SSID
◦ Broadcast not enabled
◦ Central Switched • Users would authenticate using the first SSID • In it’s access-accept packet, the RADIUS server would return an Airespace-WLAN-Id attribute with the value of the second SSID.
• The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
So far, our tests showed no results.
• Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it. • If not, what would you recommend?
For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value. AAA attributes can change a users vlan, acl and QoS. The other attributes are intended to use for rules... example:
Is the user part of this AD group and is this user on WLAN ID=1.
You will not be able to go from centrally switched to locally swithed and vice versa. I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...