topic Hello, William in Wireless

AAA VLAN assignment per FlexGroup with VLAN name

mtsankova — Mon, 05 Jul 2021 13:50:49 GMT

Hello, I have a topology with a virtual WLC (installed on virtual machine) with APs in Flex connect mode. Also I had configured one SSID with authentication to a microsoft radius server (where depending on the account from the active directory the user is assigned to a specific vlan). The problem is when in the radius server return vlan name, then all the clients are add to the default vlan. Then I get an error:

TLV-DEC-ERR: can not process TLV for TLV_FLEX_VLAN_NAME_ID_MAPPING_PAYLOAD (591/0)
TLV-DEC-ERR: No CB for TLV_FLEX_VLAN_NAME_ID_MAPPING_PAYLOAD (591)

Is there a fix to this problem?

When the Radius server return vlan id everiting is working fine, and the clients are add to the specific vlan.

What you are trying to do is

William Kuczmera — Tue, 11 Apr 2017 16:42:41 GMT

What you are trying to do is called AAA override. Where our AAA server is dictating or overriding our VLAN assignment.

Sounds like your Radius server is returning the attribute but your AP may not be aware of the VLAN in question.

Guidelines and Limitations
• VLAN overrides for FlexConnect is applicable for both centrally and locally authenticated clients.
• Before configuring an AAA override, the VLAN must be created on the access points. These
VLANs can be created on the access points by using the existing WLAN-VLAN mappings.
• VLANs can be configured on FlexConnect groups. VLANs are pushed to the access points
belonging to the FlexConnect group.
• At any given point, an AP has a maximum of 16 VLANs. The VLANs are selected based on the
WLAN-VLAN mapping in the AP . The remaining VLANs will be pushed from the Flexconnect
group in the order that they are configured/shown in the Flexconnect group. If the VLAN slots are
full, an error message is logged.
• If the VLAN on the AP is configured using the WLAN-VLAN, the AP configuration of the ACL is
applied.
• If the VLAN is configured using the FlexConnect group, the ACL configured on the FlexConnect
group is applied.
• If the same VLAN is configured on the FlexConnect group and also at the AP, the AP configuration
with its ACL takes precedence.
• If there is no slot for a new VLAN from the WLAN-VLAN mapping, the latest FlexConnect group
VLAN is replaced.
• If the VLAN that was returned from the AAA is not present on the AP, the client falls back to the
default VLAN configured for the WLAN.
• AAA for locally switched clients only supports VLAN overrides.
• AAA Override for FlexConnect is supported through IETF parameters in the ACS. The following
parameters must be configured with the specified values as defined below for a user:
– [064] Tunnel-Type : Tag 1 value VLAN
– [065] Tunnel-Medium Type : Tag1 value 802
– [081] Tunnel-Private-Group-ID : Tag1 value : Overridden VLAN ID.
• Dynamic VLAN assignment is not supported for web authentication from a controller with ACS.

Hope this helps. Its available in the config guide.

Hello, William

smartitbg — Tue, 20 Jun 2017 09:26:33 GMT

Hello, William

"Sounds like your Radius server is returning the attribute but your AP may not be aware of the VLAN in question."

The VLAN is configured on the AP via FlexConnect Group. Also FlexConnect VLAN Template is configured.

The problem only exists, when RADIUS server is configured to return VLAN NAME instead of VLAN ID and when AP is on FlexConnect mode with Central Switching (in this case AAA override works with VLAN NAME), but when the AP lost connection to the WLC (and starts to authenticate locally), then the AP is not aware of the VLAN name to ID mapping, therefore it puts the client on the default VLAN.

These errors are shown, when AP is joining to the FlexConnect Group initially, configured with FlexConnect VLAN Template. I think this is the main reason, AP not to be aware of VLAN name to ID mapping, therefore it can't override the VLAN when authenticate users by itself (Local Auth).

We use VLAN IDs, instead of VLAN NAMES for 'Tunnel-Private-Group-ID' attribute as workaround for this issue.

TLV-DEC-ERR: can not process TLV for TLV_FLEX_VLAN_NAME_ID_MAPPING_PAYLOAD (591/0)
TLV-DEC-ERR: No CB for TLV_FLEX_VLAN_NAME_ID_MAPPING_PAYLOAD (591)