Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS vlan assignments fail

I currently have a WLC 5508 and ACS 5.1, previously the only access policy was default network access with authorization profile permit access.

My users and machines successfully authenticate against radius via AD.

I want to consolidate some SSID’s and use dynamic vlan assignments via radius.  I created new vlan, ssid, a service, service selection rule, and authorization profile end station filters, etc, all this works if the authorization profile is set to permit. When I add the profile with the vlan it begins failing. I have used just the vlan profile and the vlan profile and the default permit profile together in both orders.

If I do not enable radius override on the WLC I get message saying radius overrides globally disabled.

One I turn on overrides and use the authorization profile with the vlan I get web auth failed, radius server disabled.

The radius server log shows could not find network resource or AAA client while accessing NAS by ip during authentication.

What am I missing?

Thanks,

Everyone's tags (3)
6 REPLIES
Hall of Fame Super Silver

Re: ACS vlan assignments fail

You said you had this working before? I have this lab'd out and I know it works. So the thing is, you have the wlc configured as a aaa client in ACS and the shared secret is identical. AAA Overide in the wlc needs to be enabled. Also the vlans that you want to put the users on need to be configured on the wlc. Can you screen shot your WLAN SSID and you ACS policies. Also can you post the failed or passed log in ACS.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: ACS vlan assignments fail

Let me clarify,

When I said previously I meant before I started adding these policies. The default policy still works and my users authenticate to the radius with their AD credentials, but they stay in the vlan of the ssid’s interface.

I want to add an authenticated guest ssid, and consolidate my existing ssids to reduce the number of SSID’s I have. I want to accomplish this with dynamic vlans.

It is the new ssid with a dynamic vlan that does not work. The dhcp switch, interface etc are setup because I can remove the dynamic vlan profile and it will connect to the interface I specify in the WLC config.

I can manually change the WLC Wlan config to associate with the different vlans I  want and they all work so there is no issue there.

The issue is dynamically assigning this interface / vlan via AAA.

I will get screen shots an error messages when I get in tomorrow.

I hope this makes the issue a little clearer.

Thanks,

Hall of Fame Super Silver

Re: ACS vlan assignments fail

Okay... so your guest ssid,,,, what authentication method are you using.  Usally when you consolodate SSID's, it is the internal SSID's and you keep guest seperate.  We can wait til tomorrow so I can see how you have the ssid and the ACS configured.

-Scott
*** Please rate helpful posts ***
New Member

Re: ACS vlan assignments fail

OK while taking screen shots and revving logs to send this moring I discovered the nas ip in the failure log. 

On a successful login of my current operations the nas ip is the management ip of the wlc x.x.16.254

On the failed logins with the vlan assignment the nas is the ip of the interfaced assigned to the wlan. In this case x.x.3.5

Once I added 3.5 as an AAA client and the shared key I can successfully authenticate with my test auth profile with vlan assignment. 

However I stay in the vlan of the wlan interface, I do not get moved to a new vlan as I should. 

I have attached the screen shots.  Let me know if there is more info you need. 

Thanks,

New Member

Re: ACS vlan assignments fail

OK got it working, 

I have been using web auth which will not work with dynamic vlans. 

i switched my security from webauth to WPA2. 

I would prefer webauth for guest because some clients have trouble validating the certificates, but is working.

Thanks for your help.

Re: ACS vlan assignments fail

For guest, they should be using webauth, and not an EAP type. But you would have to lock them down to a particular VLAN when they associated.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
559
Views
0
Helpful
6
Replies
CreatePlease login to create content