I currently have a WLC 5508 and ACS 5.1, previously the only access policy was default network access with authorization profile permit access.
My users and machines successfully authenticate against radius via AD.
I want to consolidate some SSID’s and use dynamic vlan assignments via radius. I created new vlan, ssid, a service, service selection rule, and authorization profile end station filters, etc, all this works if the authorization profile is set to permit. When I add the profile with the vlan it begins failing. I have used just the vlan profile and the vlan profile and the default permit profile together in both orders.
If I do not enable radius override on the WLC I get message saying radius overrides globally disabled.
One I turn on overrides and use the authorization profile with the vlan I get web auth failed, radius server disabled.
The radius server log shows could not find network resource or AAA client while accessing NAS by ip during authentication.
You said you had this working before? I have this lab'd out and I know it works. So the thing is, you have the wlc configured as a aaa client in ACS and the shared secret is identical. AAA Overide in the wlc needs to be enabled. Also the vlans that you want to put the users on need to be configured on the wlc. Can you screen shot your WLAN SSID and you ACS policies. Also can you post the failed or passed log in ACS.
When I said previously I meant before I started adding these policies. The default policy still works and my users authenticate to the radius with their AD credentials, but they stay in the vlan of the ssid’s interface.
I want to add an authenticated guest ssid, and consolidate my existing ssids to reduce the number of SSID’s I have. I want to accomplish this with dynamic vlans.
It is the new ssid with a dynamic vlan that does not work. The dhcp switch, interface etc are setup because I can remove the dynamic vlan profile and it will connect to the interface I specify in the WLC config.
I can manually change the WLC Wlan config to associate with the different vlans I want and they all work so there is no issue there.
The issue is dynamically assigning this interface / vlan via AAA.
I will get screen shots an error messages when I get in tomorrow.
Okay... so your guest ssid,,,, what authentication method are you using. Usally when you consolodate SSID's, it is the internal SSID's and you keep guest seperate. We can wait til tomorrow so I can see how you have the ssid and the ACS configured.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...