topic Delsenyj, can you please take in Wireless

Need help with multi vlan/ssid config on Aironet 1852i with Mobility Express

delsenyj — Mon, 05 Jul 2021 13:24:20 GMT

I have an Aironet 1852i, with Mobility Express pre-installed (and confirmed to be in ME mode), and I am trying to configure it with 2 wlans for our internal domain networks (both using Windows RADIUS, and both on seperate vlans with seperate external DHCP servers), and another for personal devices and guests. The problem I am having, is coming up with a working solution for the personal devices/guest network.

The 1852i that I have, is the only WLC on our network. It has a static management IP, and the DHCP server for the management network (vlan 8), is on a Cisco ISR 4331 (our primary router), which the 1852i is also directly connected to. The switchport that the 1852i connects to, on the ISR, is configured as a trunk port, with vlan 8 native (management vlan), and allowed vlans 5, 6, 8, and 11.

Wlan 1 is configured for vlan 5, with wpa2 enterprise (using external RADIUS).

Wlan 2 is configured for vlan 11, with wpa2 enterprise (using external RADIUS).

Vlan 5 has a Windows Server 2012 providing DHCP for vlan 5

Vlan 11 has a Windows Server 2012 providing DHCP for vlan 11, and RADIUS for both wlan 1 & 2.

(both servers are part of the same domain)

Wlan 1 and 2 work perfectly fine. Our Windows domain clients can connect to their relevant wlan, using their credentials, they get authenticated, and receive a correctly assigned DHCP address for the network they are connected to.

The third wlan (Wlan 3), which is for guests & personal devices. Vlan 6 is assigned to this network, and the DHCP server for this network is also on our ISR 4331. To avoid any captive portal issues with our iphone users, I was hoping that I could set wlan 3 up as a standard wlan for vlan 6, using wpa2 enterprise, but using the internal RADIUS server on the AP. That way any employees or guests that want to use it, have to request access, which could be provided using the Mobility Express gui. However, when configured like this, no client/user can authenticate on wlan 3 with any credentials from wlan users entered in Mobility Express. (wlan 1 & 2 still work find though)

My first question is if that is even possible? (using external RADIUS for some wlan's and internal RADIUS for others, using the same WLC)

So as a fall back, I've tried just configuring wlan 3 as a standard wlan, but now using wpa2 personal (again with vlan 6). With this setup, users can authenticate, using the shared wpa2 personal passphrase, but end up receiving a DHCP assigned ip address from vlan 8 (the management vlan), and not vlan 6. Seperate DHCP pools, using seperate subnets, have been configured on the ISR router, and under each vlan interface (on the ISR) the helper address for that vlan, has been applied.

So I am not sure what I may be missing, but it almost seems as though the WLC is not passing the Vlan info with its DHCP requests for clients on Wlan 3 (assigned to vlan 6)?

Any help or advice would be greatly appreciated!

Thanks!

If i'm right, the mobility

pieterh — Fri, 20 Jan 2017 11:17:52 GMT

If i'm right, the mobility express option is functionally equal to a "virtual wireless controller" running on the AP itself?

if the controller and the isr can reach eachother on vlan6, then the controller must only forward dhcp requests on layer-2 to the vlan, where the isr can respond to the request.
in dhcp-proxy mode, the controller forwards the request using the management interface as source, giving the result you describe.

comparing to a wireless controller configuration
the controller needs to have
- an interface in the correct vlan (6) configured
- an ip-address in the subnet used on this vlan (not really used)
- a dhcp server configured in this subnet (the isr)
- dchp proxy mode disabled (!)

hope this helps?

It looks like you are correct

delsenyj — Fri, 10 Feb 2017 16:00:53 GMT

It looks like you are correct, pieterh.

Right after submitting my initial post (and reading it back to myself again), I stumbled across the Cisco Wireless Controller Configuration Guide v.8.3 (NOT the Mobility Express Configuration Guide v.8.3!!). Going through that, I realized that Mobility Express is built off that platform, as a lot of the same features are there, just not accessible via the Mobility Express gui.

As such, I did end up creating dynamic interfaces on the WLC, for each vlan, each assigned with an IP address within the respective vlan. Each dynamic interface (vlan interface, or sub-interface) was set to use the management interface as the physical port. Then, within each wlan, I configured them to use their respective dynamic interface (vlan interface, on the WLC) that I just created (rather then the management interface, which is default).

The DHCP proxy mode was already off (from my previous attempts), and the DHCP server for vlan 6 remained as I had it configured, on the ISR.

That did the trick for the IP address assignment issue that I was seeing! Clients can now receive DHCP assigned IP addresses for any wlan that they are connecting to.

The next thing was the RADIUS issue....I found (in the wireless controller configuration guide), that it is indeed possible to use internal AND/OR external RADIUS, per wlan. As default, when a wlan is configured to use RADIUS, the WLC will first try any external RADIUS server(s). Since the list of external RADIUS servers (listed on the WLC) is a global list, the same list is used for any wlan configured with RADIUS. After trying the external RADIUS servers, then it will try the internal RADIUS server. Unless the timeout settings are changed, and if a mixed (internal and external) RADIUS server environment is being used, any wlans configured to use the internal RADIUS server will have clients authentications fail due to timeout, while waiting for the WLC to try each external RADIUS server first.

That is default.

There is a couple of settings that I found to work around that....one changes the authentication server priority, per wlan....which did not work for me.

The other, and what did work, was to disable the wlan's radius authentication server setting, using:

config wlan radius_server auth disable <WLAN >

It's a misleading command, because what it actually does is configures the wlan to not use any external RADIUS server for authentication checks, but does not restrict authenticating with internal RADIUS.

Now I just need to work on the whole captive portal thing, with regards to apple devices (iphones) and the captive portal DNS redirects, using vlans (vlan 6 in my case) that do not have access to the company DNS servers.

back to reading the config guide!

Hi Delseny,

Rommel Papa — Thu, 23 Mar 2017 14:10:47 GMT

Hi Delseny,

i encountered same issue here.. same configuration/setup you said. Could you share to us the steps/config on how to configure WLAN to use the specific created dynamic interface ?

See below scenario

Dynamic int-guest vlan 1 then use by WLAN ssid guest

Dynamic int-employee vlan 20 then use by WLAN ssid employee

management vlan is under vlan 10.

CLI command will do since in mobility express 8.3.xx firmware has no available option/configuration.

Thanks,

Ben

Delsenyj, can you please take

rbinu — Wed, 12 Jul 2017 03:33:50 GMT

Delsenyj, can you please take a look at this Cisco video that discusses this specific issue? Also, you can find the 8.3 Mobility Express Guide here.