Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Way to Ignore Dynamic VLAN using WPA2 on IOS AP and ACS?

Hello,

I am trying to setup an IOS AP using 12.3(8)JEB1 to use WPA2 using ACS 4.0(1)Build 44. I am trying to use PEAP with MSCHAPv2.

The problem I am having is that the only way I can get the client to associate, is if I configure the the AP's SSID to be the same VLAN that is stated in the "[081] Tunnel-Private-Group-ID" field of the group that the dynamic user is in.

When I configure the SSID to the VLAN it should be, the client never authenticates, even though the ACS server shows it as a "Passed Authentication".

When I do a "debug radius authentication", I get this message "%DOT11-4-NO_VLAN_ID: Vlan id 1100 from Radius server is not configured for station xxxx.xxxx.xxxx" (MAC address removed).

Is there a way to configure the AP to ignore the "[081] Tunnel-Private-Group-ID" field?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Way to Ignore Dynamic VLAN using WPA2 on IOS AP and ACS?

Here's what you need. I just figured this out tonight:

aaa group server radius your-AAA-group-name

server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

server your-radius-server#2-IPaddress auth-port 1645 acct-port 1646

authorization reply reject wireless-attreject-list

!

radius-server attribute list wireless-attreject-list

attribute 81

!

aaa authentication login eap_methods group your-AAA-group-name

2 REPLIES
New Member

Re: Way to Ignore Dynamic VLAN using WPA2 on IOS AP and ACS?

Here's what you need. I just figured this out tonight:

aaa group server radius your-AAA-group-name

server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

server your-radius-server#2-IPaddress auth-port 1645 acct-port 1646

authorization reply reject wireless-attreject-list

!

radius-server attribute list wireless-attreject-list

attribute 81

!

aaa authentication login eap_methods group your-AAA-group-name

New Member

Re: Way to Ignore Dynamic VLAN using WPA2 on IOS AP and ACS?

Worked great!

Thanks for your help!

270
Views
0
Helpful
2
Replies