Thanks for the answer, below are my comments.

1) It is already enabled

2) Here is also my main concern. WLC should be able to accept text for vlan assignement since Cisco switches do so, they map the VLAN description to the test that ACS sends. Maybe I need to open a TAC ticket to verify this.

But in any case this should only be a problem if you use purely the IETF RADIUS attributes to pass the VLAN to WLC, in this case I also use the Cisco Airespace       [VSA (Vendor-Specific)] attribute which certainly accepts the Interface name of WLC as an argument.

3) Dynamic interface is correctly configured in the WLC.

Today I will also try to update our WLC to version 6.0.199.4  from 6.0.196.0 since there is a resolved issue involving the proper function of AAA Ovveride, maybe that is the problem, will update when I do it.

BR,

George

A bit more debugging gave me this:

*Oct 15 09:31:28.491: xx:xx:xx:xx:xx:xx Received Tunnel-Group-ID Attribute -- ignoring AES Interface-Name '200' for STA xx:xx:xx:xx:xx:xx.
*Oct 15 09:31:28.491: xx:xx:xx:xx:xx:xx Tunnel-Type 16777229 should be 13 for STA xx:xx:xx:xx:xx:xx

(xx:xx:xx:xx:xx:xx is the client mac address)

It seems that:

1. WLC ignores the [14179\005] Aire-Interface-Name  parameter regardless of what the value is (I have tried the vlan number, the interface name etc)

2. the second error is that the tunnel-type 16777229 should be 13. The tunnel-type has the value VLAN as required according to the Cisco document and in general for this to work.  Funny thing is that RFC2868 doesn't define a value of 13 but RFC3580 define VLAN as value 13 so again I've set the correct value.

So I don't really know what to do now.  I guess I have to open a TAC ticket.

It sounds to me like it's ignoring the interface name attribute because you are pushing also the other attributes like Tunnel-group-ID.

If you push the tunnel type "vlan" and the tunnel-id, it will expect to get an attribute with the vlan number and thus ignores the AES interface name. did you try only sending the AES interface name ?

Nicolas

That might be the reason but as I wrote previously this setup also serves many switches thus I can't change the configuration without affecting the switches.

Also setting up another ACS just because the WLC doesn't understand some values is an overkill (taking also into account that I have to issue a certificate because of dot1x authentication etc).

In any case WLC should understand VLAN the [081] Tunnel-Private-Group-ID when using text because according to the RFCs this is a string value after all.

I am afraid that for the time being I have to freeze this and contact Cisco for a definitive answer.

Thanks for you input, if anything else comes in mind don't hesitate to reply

I won't debate the format of attribute 81 as I didn't check that point in details, so I avoid to say stupid things :-)

But for the rest, it's not "attributes that WLC doesn't understand". It gets attributes that indicate an IETF vlan number is pushed + attribute saying an interface name is pushed. It has to ignore one of the 2 right ? So that behavior looks correct to me.

How about using a NAP if you have ACS 4 or simply creating a service policy if you have ACS 5 ? that would allow you to differentiate attributes you send back to switches and to WLCs.

Regards,

Nicolas

Sorry, I didn't phrase it properly, ignoring one way of VLAN assignement is undestandable, I was only referring on how it understands the VLAN id value.

NAP can be a solution which I didn't think, will certainly try it and report the results.

Thanks

So I tried to use NAP and send to the WLC the VLAN id as a number and here is what I get:

Tunnel-Type 16777229 should be 13

Also tried to only send the interface name and again doesn't work.

So now I've really hit a brick wall. TAC is probably the only way to go now.

I found the problem after all: H-REAP !

Dynamic VLAN assignement doesn't work with H-REAP, it's written in the H-REAP documentation and somehow I missed it!