Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Prevent dynamic vlan assigment on IOS AP with ACS

Hi

I having some trouble with my lab. I have a IOS AP with diffrent VLAN, and an ACS that assign vlan based on username. So client1 have VLAN201 and client2 have VLAN202.

For my setup, dynamic vlan assigment working very well, but the problem is that I want to prevent that from happening on this SSID. Defualt VLAN on the SSID is 203.

I thought I needed the aaa authorization network default group radius to allow the use of attributes from the aaa-server. But I don't have that in my config, and it still working.

Is it any way that I can tell the AP to just ignore any attributes sent from aaa-server? Just what you would do in a WLC by disabling aaa-override.

Software: c1240-k9w7-mx.124-25d.JA

Regards,

Patrick

2 REPLIES
VIP Purple

Prevent dynamic vlan assigment on IOS AP with ACS

Hi Patrick

Refer the below post that will outline what is required to have this dynamic vlan assignment configuration.

https://supportforums.cisco.com/docs/DOC-19082

Then you can remove those aaa related comamnds if you do not want that to happen

HTH

Rasika

**** Pls rate all useful responses ****

Prevent dynamic vlan assigment on IOS AP with ACS

Hi,

Double check that what you got is a real dynamic vlan assignment. maybe it is a static assignment that you are not noticing but it overlaps somehow with the dynamic assignment you configured.

Also, If you have multiple SSIDs on same AP, you can not (from AP level) allow only one to use dynamic assignment and prevent the other. You are forced to use dynamic assignment for all SSIDs (as long as they use radius server and match a rule).

Now, what you can do is to put a rule in RADIUS server to match the called-statoin-id of the SSID (which is usually the radio mac of the ssid). based on that you decide to return back the authorizatoin profile with the assigned vlan or not.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
278
Views
0
Helpful
2
Replies
CreatePlease to create content