After enabling 802.1q VLAN's on the (test-)switch I tried to enable them on the AP1200 too. I added all VLAN's needed, entered a native-VLAN-ID (id '1' in my case) and enabled tagging. I want all RADIUS (802.1X) traffic to use this native-VLAN, and to assign the other VLAN's to users after authentication.
The first problem is that the native VLAN is never used (I'm really sure I enabled the VLAN and enabled the VLAN in general). I get the following error in the logs/on the console:
"VLAN (802.1Q) Tagging is Enabled, but no Native VLAN is Enabled"
when sniffing the traffic on this switch-port (with a hub) I see that the AP-1200 doesn't use 1q-tag's, but that there is tagged-traffic from other hosts. Tagging works, but the AP doesn't seem to use it.
Is this a known problem? I've seen the same behaviour on an AP350 earlier.
(I tried to disable the "When VLAN disabled"-vlan, that didn't work. The AP was reset to factory configuration before these attempts.)
The other problem is that the AP doesn't seem to "listen" to tags received from radius. I added the tags in the dictionary of the Radius server (Radiator) and in the users-file as in the VLAN Deployment example. (Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = "2".)
When using cisco-avpair = "ssid=test" the users is only able to connect to this ssid, and the VLAN defined for this ssid is correct (except for the native-VLAN). Since e.g. XP is not able (for as far as I've seen) to define this (secondary) ssid to be used and there is no switching from the ssid connected to, it is no good solution for me. If this would work it still looks nicer to me to assign a VLAN, so I really hope this is possible.
I partially solved the issues in my previous post. The VLAN assignment by Radius now works: the problem was with Radius. ("802" does not refer to the correct Tunnel-Medium-Type (I guess it's interpreted as an integer value, not as dictionary entry), that should be Ether_802 as well in the dictionary as in the users-file. I used the wrong example :-| )
I still don't get my authentication traffic over an VLAN however. The traffic for the Native VLAN is still untagged. Maybe that is the normal behaviour, but it's not what I expect from it. If it's normal, I'd like to hear that.
I found out I /can/ seperate the traffic for the "default VLAN" a client gets from the authentication traffic by defining an second ssid that's used for the infrastructure only (with the Native VLAN in it) and set the default ssid on the one a user needs to get by default.
But I'd like to see my authentication traffic over an tagged VLAN, instead of the Native VLAN that seems to be untagged (however I doubt if that is normal), and have in fact no untagged VLAN's at all.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...