Re: WLC 4402 Need config for 2 SSIDs on 2 VLANs

scdladmin · ‎08-25-2008

I have a WLC 4402 configured to run 1131AG LAPs in 11 buildings.

I already have a working SSID on VLAN 3 for public consumption.

Now, I want to add a second SSID on a separate VLAN 6 that uses a RADIUS server to authenticate our Windows domain users. This SSID will not be broadcast, either. Basically, what I want to end up with is two SSIDs (one public, one private) operating on different VLANs.

I've set up the new subnet scope and scope options on the same DHCP servers.

I've set up the subinterface on the router and added the same IP-Helper addresses of the DHCP servers.

I've got the IAS server configured and communicating with the WLC.

I've set up the second interface and WLAN on the WLC 4402.

When testing on a laptop, I can manually enter the SSID and get it to attempt to connect. The SSID is being seen, but the laptop is failing to obtain an IP address from the DHCP servers.

In troubleshooting this, I'm wondering how this configuration can work, since the LAPs are access ports on the switches assigned to VLAN 3. They cannot be made into trunk ports on the switch and work with the WLC.

I've searched for anything that would describe this kind of configuration, but haven't found anything, yet.

Does anyone have some kind of configuration example that would describe how to get all these components configured and operational to support two SSIDs on two VLANs?

TIA

Rick

CFayNTAdmin83 · ‎08-25-2008

Hi Rick,

I have experience with MS IAS (PEAP w/ MS-CHAP v2) and the 4402. When the tricks are all worked out with IAS, it works pretty well. I'm currently using Funk OAS though. Please respond to the following questions...

1. Have you tried statically setting the DHCP server IP address in the WLAN configuration on the controller?

2. Can you confirm that your IAS Radius server is working / setup properly?

- Did you setup a certificate authority or a third party cert for IAS to use?

-Do you have a valid RAS policy created for clients to pass through? I make mine require "domain users" as a group requirement.

-Do you have any strict policy requirements in place like a "NAS-PORT-TYPE" and the port type is set for 802.11 (wireless)?

3. Can you ping the WLC interface that the WPA2 Enterprise ssid is using?

Just a little bit of background on the WLC as well to answer your question about the different vlans / wlans.

The WLC is connected to your core switch via a trunk port. The trunk port needs to have access to the different vlans that you intend to use for wlans as well as the vlan you put your ap's on. A simple config on the port like this should work fine.

description WLC PORT

switchport mode trunk

switchport trunk encapsulation dot1q

Interfaces for each vlan that the controller needs to talk to are created on the controller. All traffic from the AP is sent on the AP manager vlan back to the controller, and then the controller dictates which vlan the traffic needs to get forwarded to, via the interface you created.

So, if your clients aren't getting IP's then it could be that the vlan isn't accessible by the WLC, your client failed authentication because the radius server denied it, the dhcp scope is off, the helper address is incorrect, or the client is not cofigured properly. Based on what I'm hearing though, if the static DHCP server setting doesn't work, I'm leaning toward auth failure / radius IAS problems. What does your client status say on the WLC? If you try the test again, please do a MAC address client lookup from the controller and let us know what the WLC says...

P.S. Below is a technet link that should help get logging going on IAS so you can see from the MS side if the client auths properly...

http://technet.microsoft.com/en-us/library/cc787894.aspx

scdladmin · ‎08-25-2008

CFayNTAdmin83,

Thanks for the response.

1. Changing the setting in the WLAN for DHCP server override and requring DCHP Address Assignment has not effect.

2. I followed this link to configure IAS, but also used some other resources on both Technet and Cisco to assist in the configuration:

http://articles.techrepublic.com.com/5100-10878_11-6148579.html

- IAS is installed on one of our domain controllers.

- I set up the logging to the local file. Would have preferred using SQL 2005, but nothing is provided in IAS to facilitate this and the documentation regarding the database is sparse at best. I don't have enough SQL 2005 expertise to build the database, table(s) and index(s) from the ground up, so I had to forego this method for now. After setting the WLC RADIUS Authentication server settings, a log file was created on the server and gets routine messages from the WLC, although it is always the same one. Just looks like some routine message stating that All users must use Windows authentication that is generated at some specified interval. Kind of like a heartbeat message or something like that.

- In the RADIUS client that I have set up for the WLC, I have tried changing the Client-Vendor setting from RADIUS Standard to Cisco.

- Following the article in the link above, I used the wizard to configure the Remote Access Policy for this. The conditions are NAS-Port-Type matches "Wireless - Other OR Wireless IEEE 802.11" AND Windows-Groups matches "Domain Computer, Domain Users, Domain Admins"

- One oddity occurs with IAS, once - and only once - each day. If I open IAS mmc - open the properties of the Remote Access Policy I configured for this -> Edit Profile -> Authentication tab -> EAP Methods button -> highlight PEAP and click Edit button I get an error box saying there is no matching certificate. I import the same certificate again which is a self-signed certificate from our CA and is valid until next year. I can log off/on all day and check this again and everything is fine. Come back tomorrow and start all over again with the invalid cert box.

3. I can ping all the IPs associated with the WLC and private SSID/VLAN I am trying to get working.

4. WLC has two GBICs. On the WLC side, these are link aggregated. On the switch side, both have the switchport trunk, switchport trunk encap dot1q and switchport trunk allowed vlan 1,3,6 commands entered. There is also a channel-group 10 mode on entry. Interface Port-channel 10 is also configured with the same three switchport trunk entries.

The DHCP scope is enabled.

The IP helper addresses are correct (these are the same DHCP servers we use with every other VLAN)

Since this isn't working, I can't tell if the IAS authentication isn't taking place or the client is misconfigured.

- There are no Windows Event log messages on either the client or the IAS server regarding authentication;

- There are no IAS log messages indicating that an attempt was made or rejected;

- There are no WLC trap messages saying an attempt was made or rejected;

- For testing, I set the client to prompt for the domain name/password which it does. The client Wireless config shows the association with the private SSID and reports signal strength - then attempts to get a DHCP address and times out.

- The WLC monitor displays the client, associated with the private WLAN, but has 'No" under the Auth column.

- I've set the WLAN for WPA+WPA2 Level 2 Security and entered the only RADIUS server in the Advanced tab for Authentication and Accounting; on the client, I set the authentication for either WPA-Enterprise or WPA2-Enterprise (depending on the laptop used) and configured the Windows login name/password/domain, as well as the client and server certificates.

Rick

Scott Fella · ‎08-25-2008

Post your show run-config and I can tell you what you need to change. Also, how is your switchport configured where the wlc connects. Access port is correct for the access points.

-Scott
*** Please rate helpful posts ***

scdladmin · ‎08-26-2008

This must be an IAS issue, because if I don't use IAS at all and configure the client to just use WPA-Personal (PSK), it works fine.

So, now the question is...

Can anyone share their working configuration of Windows 2003 R2x64 IAS on a domain controller using a self-signed certificate, working with a WLAN Controller 4402 and 1131AG APs and the correct client configuration for either an HP or Dell laptop client using WPA-Enterprise or WPA2-Enterprise authentication?

I have poured over the Windows support site, Technet articles, Cisco documentation and various forums, but have yet to find a configuration for the WLC-IAS server and laptop clients that functions.

TIA

Rick

scdladmin · ‎09-04-2008

I've been working on this for two weeks and still don't have a working solution for RADIUS authentication for wireless laptops <-> WLC 4402 <-> IAS server(s) using PEAP (MSChapv2)

When I boot the laptop I'm testing with, an authentication success message is recorded in the IAS server. But when I log on with any account, IAS rejection messages are recorded and the wireless connection is never established. Windows Event log message on IAS server:

Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 9/4/2008

Time: 2:27:24 PM

User: N/A

Computer: DC1

Description:

User SCOTRNCPQ003.scdl.local was denied access.

Fully-Qualified-User-Name = domainname\SCOTRNCPQ003.scdl.local

NAS-IP-Address = 10.10.10.10

NAS-Identifier = scohc0ciswlc

Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff

Calling-Station-Identifier = 00-90-4B-4C-92-B7

Client-Friendly-Name = WLAN Controller

Client-IP-Address = 10.10.10.10

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 29

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = EAP

EAP-Type =

Reason-Code = 8

Reason = The specified user account does not exist.

I believe that I'm at a spot where IAS is properly configured. So, either something in the WLAN Controller config is wrong or the laptop config is wrong.

I've read that the controller merely passes the messages from client to IAS server, but was wondering if it adds/subtracts anything from the messages as it's passing them back and forth. If so, then something about the controller configuration might need changed. I believe I've removed/disabled all the settings that attempt to encrypt the WLC <-> IAS communication because I couldn't get encrypted communication to work at all. The WLC 4402 config is:

Security -> AAA -> RADIUS -> Authentication:

Call Station ID = IP Address

Use AES Key Wrap = Unchecked

RADIUS Server 1:

Server Index = 1

Server Address = (IAS Server IP address)

Shared Secret Format = ASCII

Share Secret and Confirm Shared Secret are set with same key.

Key Wrap = unchecked box

Port Number = 1812

Server Status = Enabled

Support for RFC 3576 = Enabled

Server Timeoue = 2 seconds

Network User = checked

Management = checked

IPSec = unchecked

WLANs Edit -> TestSSID

General Tab:

Profile name = TestSSID

Type = WLAN

SSID = TestSSID

Status = checked

Security Policies = [WPA+WPA2][Auth(802.1X)]\

Radio Policy = All

Interface = domain test

Broadcast SSID = unchecked

Security Tab, Layer 2 tab:

Layer 2 Security = WPA+WPA2

MAC Filtering = unchecked

WPA Policy = checked

WPA Encryption = AES checked, TKIP unchecked

WPA2 Policy = checked

WPA2 Encryption = AES checked, TKIP unchecked

Auth Key Mgmt = 802.1X

Security Tab, Layer 3 tab:

Layer 3 Security = None

Web Policy = unchecked

Security Tab, AAA Servers tab:

Authentication Server 1 = IAS server IP, 1812

Accounting Servers = Enable box checked, Server 1 IP = IAS server IP, 1813

No LDAP servers

Local EAP Authentication = unchecked

Authentication Priority order for web-auth user = RADIUS, LOCAL, LDAP

QoS tab:

Quality of Service = Silver (best effort)

WMM Policy = Allowed

7920 AP CAC = unchecked

7920 Client CAC = unchecked

Advanced tab:

Allow AAA Override = unchecked

H-REAP Local Switching = unchecked

Enable Session Timeout = checked, 1800 secs

Aironet IE = unchecked

Diagnostic Channel = unchecked

IPv6 Enable = unchecked

Overrid Interface ACL = None

P2P Blocking Action = Disabled

Client Exclusion = Enabled, 60 secs

DHCP Server = unchecked

DHCP Addr. Assignment = unchecked

Infrastructure MFP Protection = checked (Global MFP Disabled)

MFP Client Protection = Optional

DTIM Period 802.11a/n = 1

DTIM Period 802.1b/g/n = 1

NAC State = unchecked

nkariyawasam · ‎09-09-2008

I have similar setup with APs located in 22 differant locations, works without problem.

Your WLAN config seems to be OK. But, I also had the same authentication problem with IAS server when I user the Intel client on Laptop. Due to some reason IAS server could not understand that client is sending MS-CHAP type auth request.

When I use the Windows native client with wireless zero ocnfig ( I have tested with both XP and VIsta) it worked fine.

The DHCP issue: If your AP and WLAN are not in Reap mode, entire client traffic is encapsulated up to WLC. Therefore you need a DHCP server accessible in the same AP Management WLAN interface. If you enable Reap mode for both WLAN and AP, the client will search for a DHCP server located in the LAN where AP is plugged.

Nalaka.

scdladmin · ‎09-15-2008

I did manage to get PEAP-MSCHAPv2 authentication working, by ignoring any documentation on autoenrollment of machines to the certificate authority.

In working through all this, however, I think that PEAP-TLS authentication (or any other machine authentication method) would be a better fit for our environment, but I haven't been able to get authentication to occur using a machine certificate. IAS is still complaining that the specified user account does not exist.

This isn't a WLC issue, so I'm largely posting on the MS site for this. However, if anyone has gotten this working with PEAP-TLS - or any other machine authentication method - I would appreciate hearing how you configured IAS and the clients to get this to function.

TIA

Rick

m.pedre · ‎12-23-2010

scdladmin

I have the same problem with ias with out vlans and 1 ssdi only

have you resoved it?

thanks