dynamic interface group assignment

marc.wechsler · ‎07-16-2013

Wir testen aktuell das dynamische vlan assignment mit dem wlc (version 7.3.101) und dem microsoft nps server. das überschreiben der vlan id anhand einer zutreffenden netzwerkrichlinie funktioniert einwandfrei. nun stellt sich die frage, ob das überschreiben auch möglich ist, wenn auf dem wlc für eine ap-group eine interface gruppe anstelle eines einzelnen vlans definiert ist. hat jemand erfahrungen damit gemacht? konkret sieht der aufbau wie folgend aus:

vlan 100-110 sind in als interface group01 zusammengefasst.

unter ap groups ist eine ssid mit dieser interface gruppe01 konfiguriert.

unter wlan ist eine ssid mit: radius server overwrite interface und: allow aaa override konfiguriert.

auf dem nps gibt es eine zutreffende netzwerkrichtlinie mit radius attribute:

framed-protocol = ppp

service-type = Framed

Tunnel-Medium-Type 802

Tunnel-Pvt-Group-Id = gruppe01 (Name der Interface Gruppe, analog VLAN)

Tunnel-Type = VLAN

--> Wenn wir eine einfache VLAN ID angeben funktioniert es, mit dem Namen der Interface Gruppe funktioniert es nicht.

Hat jemand erfahrung, ob das zuweisen einer interface gruppe per radius attribut möglich ist?

Jatin Katyal · ‎07-16-2013

I see you have added these IETF attributes:

Tunnel-Type = 64 = VLAN
Tunnel-Medium-Type = 802
Tunnel-Private-Group-ID = vlan-id

In tunnel-Private-Group-ID=VLAN-ID should be defined.

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bc8129.shtml#policy

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

marc.wechsler · ‎07-16-2013

Thank you for your answer.

if i define a single vlan id, everything works fine. but we try to make this work with an interface group instead of a single vlan... i am not shure if this is possible or not.. i just read the following release notes:

AAA Override Support for Interface Groups

This release supports AAA override for interface groups.

This feature extends the current access point group and AAA override architecture where access point groups and AAA override can be configured to override the interface group WLAN that the interface is mapped to. This is done with multiple interfaces using interface groups.

so if i change the single vlan id from tunnel-private-group-id attribute to the interface group it doesnt work anymore...

Jatin Katyal · ‎07-16-2013

Unfortunately, interface group name can not be defined with Tunnel-Private-Group-ID.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Thilo Bubek · ‎11-06-2013

Is there still no solution to assign different interface groups via AAA-override?

(Configuration guide for WLC software 7.4 says: "You can also configure AAA override for interface groups")

I would like to use 3 or 4 interface groups and assign dem via AAA-override from radius.

I'm using 5508 and 5760 wireless controllers.

Best regards

Sent from Cisco Technical Support iPad App

rberke · ‎12-14-2013

I have heard that the IOS implementation of WLC features is lagging on the 5760 vs 5500. Not full parity with 7.x.

We, too, need Interface Group to work. We have Ancient WISMs that we intend to replace with 5760's. Have to wait....

Right now we can't reliable get AAA Override to work with even single VLAN. 5760 seems to ignore Radius IETF 81 attribute. Working through with TAC for two weeks. Ethernet packets clearly show the correct VLAN is sent by our ACS 5.3 to the 5760, but users just get on default interface for the WLAN instead of directed to proper VLAN per their authentication success criteria. 5500's we use at other buildings are working fine.

Sent from Cisco Technical Support iPad App

mderville · ‎05-15-2014

Any update on this? Do you know if interfaces group / AAA override can work with WLC5508 in release 7.6?

rberke · ‎05-15-2014

We have had the group/AAA override working with WLC5508 since code version 7.2, with ACS 5.3 as our RADIUS server. We haven't yet run 7.6 code, but expect to in July. Our ACS is now up at 5.5.

The earlier post where I mentioned the WLC 5760.... there turned out to be multiple non-obvious commands needed at CLI level. Not via GUI. There also needed to be DHCP-snooping turned on. It also turned out that we needed CPI 2.1 to correctly interrogate the WLC's. It's been a long saga. We are getting off the 5760's, and deploying big 8500's to absorb them, plus absorb our old WISM-1 and 4402 WLC's.