Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using a RADIUS Server to Assign Users to VLANs

Is this possible on autonomous access points? http://www.cisco.com/en/US/docs/routers/access/1800/wireless/configuration/guide/s37vlan.html#wp1038739

I try to set this up but it does not work. I have 2 SSIDs, "Test1" defined on VLAN 10 and "Test2" on VLAN 99. Everything works fine if the RADIUS server does not send the VLAN attributes or if it sends the matching VLAN attributes. However, if I try to connect to "Test1" and the RADIUS server wants to assign the user to VLAN 99 instead, I see "one-way traffic". First the computer successfully authenticates and associates with the access point. If I check with "show dot11 associations all-client" I can see the client is associated and assigned to VLAN99. However, now the computer will request an IP address with DHCP. The DHCP server receives it as usual and will respond with a DHCP OFFER. However, the DHCP OFFER never makes it to the wireless client. If the client connects to "Test2" instead it will work immediately. All other examples for dynamic VLAN assignments I have found so far use LWAPPs und a controller. Is this possible with autonomous APs?

Abridged config:

dot11 vlan-name Test vlan 10

dot11 vlan-name Test2 vlan 99

!

dot11 ssid Test

vlan 10

authentication open eap eap

authentication network-eap eap

authentication key-management wpa

guest-mode

mbssid guest-mode

!

dot11 ssid Test2

vlan 99

authentication open eap eap

authentication network-eap eap

authentication key-management wpa

mbssid guest-mode

!

interface Dot11Radio0

no ip address

!

encryption vlan 99 mode ciphers aes-ccm tkip

!

encryption vlan 10 mode ciphers aes-ccm tkip

!

ssid Test

!

ssid Test2

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no cdp enable

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 spanning-disabled

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

!

interface Dot11Radio0.99

encapsulation dot1Q 99

no cdp enable

bridge-group 99

bridge-group 99 subscriber-loop-control

bridge-group 99 spanning-disabled

bridge-group 99 block-unknown-source

no bridge-group 99 source-learning

no bridge-group 99 unicast-flooding

!

12 REPLIES
Silver

Re: Using a RADIUS Server to Assign Users to VLANs

Yes, there is no problem with autonomous AP.

For the further description and configuration following URL may help you

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#VLAn1

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Thanks for the link. But the section only links to another page which contains exactly the same description which I have posted before. I know all that. I can't see anything there which I should do different.

Do you use it yourself? Do you have autonomous APs using RADIUS based VLAN assignments?

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

The answer is here:

http://www.cisco.com/en/US/docs/routers/access/1800/wireless/configuration/guide/s37ssid.html#wp1054822

You cannot use multiple BSSID together with RADIUS assigned VLANS. Without "dot11 mbssid" it works. But then of course you can only broadcast one SSID...

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Hi,

I have an autonumous access point AIR-AP1252AG-E-K9 with firmware version 12410JA. I have only one SSID and multiple VLANs that can be assigned by the attributes delivered by a RADIUS server.

The users authenticate OK and I see the DHCP discover arrive to the DHCP server but the DHCP offer doesn't arrive to the wireless client.

How you solve the DHCP problem?

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Are you sure you don't have multiple BSSID enabled?

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Yes I don't have multiple BSSID enabled.

Apparently the problem was solved with a AP reboot.

Thanks.

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Can you please send me the configuration of the AP for only one SSID and multiple VLANs that can be assigned by the attributes delivered by a RADIUS server?

I have the ACS Server dynamically assigning the vlans but I get an authentication error on the AP.

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

What error do you get exactly on the AP?

Generally, I only got authentication errors on the AP if the authentication was in fact incorrect. Does the log of the ACS server show that the users is successfully authenticated?

The configuration which I have posted initially does work if you don't have MBSSID enabled (i.e. use "no dot11 mbssid" to make sure).

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Thanks Gerald... I have the config working now. It was a problem with the dhcp for that vlan and not the ap config.

Regards.

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Hi, in case of difference between the pc ssid and ACS assigned ssid, where can I find the mismatch log ? AP syslog ?

thank you in advance

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Hi,

I understand that the ACS assigns the vlan id or name, but not the ssid.

The SSID is between the PC and the AP.

New Member

Re: Using a RADIUS Server to Assign Users to VLANs

Which mismatch? If the SSID on the PC is different from the SSID on the AP the PC won't connect. There is no log for that. The PC just won't find any wireless network to connect to.

578
Views
0
Helpful
12
Replies
CreatePlease to create content