Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Per User VLAN, 1220 IOS, and MS IAS

Does anyone running a Cisco 1220 AP that has been upgraded to IOS have per user VLAN's working?

I have many Vxworks AP's that this is working on, but I upgraded one of my spares to the latest IOS and my laptop never gets moved to the correct VLAN.

There is a BudID CSCin46150 that says:

When a RADIUS Server is configured for a different VLAN (say 10)to be assigned to the user (client), than the one established with the SSID (say 5) , the client gets assigned the original VLAN (as defined for the SSID, here 5) rather that the one sent

by the ACS (VLAN 10).

It states it is fixed in 12.2(11)JA01, but I am still having the same problem. I see the information (private-group-id) being sent from the radius server (2000 server IAS) with a sniffer, but my laptop never is switched to that VLAN.

Does anyone have this working with IAS, or does anyone have this working with ACS?

Thanks

Don Hickey

4 REPLIES
New Member

Re: Per User VLAN, 1220 IOS, and MS IAS

Hi Don. What I had to do to get this working was on IAS was to put the Tunnel Tag attribute in my Remote Access Policy. I just set it to 10. Worked like a champ (I believe it has to be between 1 and 31).

New Member

Re: Per User VLAN, 1220 IOS, and MS IAS

I'll tell you I am usually pretty good at this stuff, but I'll be darned if I still cannot get this to work. Here is a copy of my config on the AP.

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CC-IOS-AP

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.32.230.23 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

clock timezone S -6

clock summer-time S recurring

ip subnet-zero

!

dot11 network-map

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

broadcast-key vlan 31 change 900

!

!

ssid Knox-Wireless

vlan 1

authentication open eap eap_methods

!

ssid Wireless

vlan 31

authentication open eap eap_methods

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

channel 2462

antenna receive right

antenna transmit right

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.31

encapsulation dot1Q 31

no ip route-cache

bridge-group 31

bridge-group 31 subscriber-loop-control

bridge-group 31 block-unknown-source

no bridge-group 31 source-learning

no bridge-group 31 unicast-flooding

bridge-group 31 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

ntp broadcast client

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.31

encapsulation dot1Q 31

no ip route-cache

bridge-group 31

no bridge-group 31 source-learning

bridge-group 31 spanning-disabled

!

interface BVI1

ip address 10.1.225.3 255.255.0.0

no ip route-cache

!

ip default-gateway 10.1.224.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip http authentication aaa

ip radius source-interface BVI1

radius-server host 10.32.230.23 auth-port 1645 acct-port 1646 key 7 141C1C04141323392124362631

radius-server retransmit 3

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

It is a pretty basic setup with no filters or anything. On My IAS server:

I have NAS-Port-Type matches "Virtual (VPN) - this is because the 1220 IOS version sends this as the port type instead of "Wireless - IEEE 802.11" like the Vxworks AP's...

In the advanced tab -

Tunnel-Medium-Type = 802

Tunnel-Type = Virtual Lans

Tunnel-Pvt-Group-ID = 10031 (note I am trying to assign Vlan ID 31. The first number is added to the Tag 0x3X so if I used 31 as the value the tag would read 0x33 and the Value being sent is 1 so that would assign VLAN 1...This is not mentioned anywhere in Cisco's or Microsofts Docs....If you use a sniffer you can see the information being passed...On my Vxworks I have 10031 and the users are assigned to VLAN 31.)

I played around with the value for Tunnel-Pvt-Group-ID trying everything from 131,1031,0031,031,etc and not matter what, the laptop never gets moved to VLAN 31. I cannot get a DHCP address and if I statically configure an address on the laptop, no traffic passes through the AP. I am watching everthing with a sniffer monitoring all traffic passing through the AP....

I am at a loss. I still cannot get this working on the 1220 IOS AP I have...

BTW - Vxworks users searching for information.... the IAS config above will assign the authenticated user to VLAN 31. Make sure that for the NAS-Port-Type "Wireless - IEEE 802.11"

New Member

Re: Per User VLAN, 1220 IOS, and MS IAS

Cisco updated the bug wather on this...

BugID: CSCin46150

When a RADIUS Server is configured for a different VLAN (say 10)

to be assigned to the user (client), than the one established with

the SSID (say 5) , the client gets assigned the original

VLAN (as defined for the SSID, here 5) rather that the one sent

by the ACS (VLAN 10).

WORKAROUND: There is NO Workaround for this problem.

This ddts was used to commit two fixes. One fix is part of 12.2(11)JA1

and other fix will part of our next IOS AP release.

The first part is the general VLAN attribute fix for the

Tunnel Private Group ID received from Radius ACS.

The second fix allows zero as a valid VLAN attribute tag mainly to support

Microsoft IAS.

New Member

Re: Per User VLAN, 1220 IOS, and MS IAS

Dan,

Thanks again. I received your email letting me know that the Tunnel Tag attribute is available on Windows 2003 Server. I tried this suggestion and it is working great.

Thanks again,

Don Hickey

269
Views
5
Helpful
4
Replies