Thanks Kanwal.

Here is the Auth profile I am using for this. ive masqueraded the VLAN ID.  Does this look right?

I then reference this profile in my WLAN-ACCESS access policy. Also attached.

I do have two other access policies, defined... one for machine authentication and one for regular user (non-admin) authentication.  This dynamic vlan policy is the second in the list (see attached).  Could this order be a factor?

Hi John,

Looks good.

Policy Elements >Authorization and Permissions  > Network Access >Authorization Profiles >     Create, under common tasks tab ensure that you have vlan value set.

Also, order of policies does matter and ACS would stop parsing further after first match.

To see if your user is hitting the correct policy or not, go to Monitoring and Reports, launch monitoring and reports viewer and look at Radius Authentication report. You can also filter on username, NAD IP etc. Over there once you click on details, you would see step by step how rules are processed and which rule user is being matched against, which profile user has been assigned etc. That should tell you if user is matching the correct policy or not.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Thanks Kanwal,

I have verified the test users are hitting the correct policies by referring to the AAA Authentication reports.

When I first boot up my test Win7 laptop, I have to wait 15-30 seconds for the machine authentication to take place first, before attempting to login to the domain.  I determine the IP address that the laptop obtains by looking at our core router's arp table.  I run a peristant ping to the laptop.

When I then login with my admin account (the account where I should get a dynamic vlan), after a minute and a half (approx.), I see an entry in the aaa radius reports that shows my user auth succeeded, AND at the very same time my pings to the laptop start failing, as a new vlan is being assigned to the laptop.  Problem is, the laptop never gets an IP in that new vlan (or any vlan for that matter) and appears to be in limbo (according to my router's ARP table. i.e. there are no recent entries).

So I'm not really sure where to go from here.

This all seems to work well on a different SSID (that lands on a different controller but that points to our OLD ACS4.2 installation).

Thanks for any further suggestions you may have.  I may be opening a TAC case soon to get this all sorted out.

John

Hi John,

If correct policy is getting matched and user is assigned the profile you configured, then we definitely need to see what is going on at WLC level.

I am not too sure about WLC but can you look at the client which is authenticating and see if it gets placed in correct vlan? If it does, then i guess your dot1x is fine and further TS would be need to check why client is not getting an IP. Are you pushing any access-list (DACL) from ACS?

But would be weird if the same WLC when pointed to 4.2 ACS, would work just fine.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hello again Kanwal,

On your advice I looked closer at the WLC and noticed something odd when the client goes into limbo after getting the new policy for the new subnet. 

On the Monitor>Cients>Detail screen, it shows the client as getting the correct vlan ID on the correct Interface, BUT the IP address is stuck at the old address (other vlan) and the username field is blank (see attached).

I then ran a "debug client ..." on the WLC and captured a ton of info as I logged into the laptop.  I don't understand it all, but I clearly see the correct vlan ID being referenced but the client unable to change IPs.  There is also references made IPv6 VLAN = 900, "Applying site-specific IPv6 override", etc. but we are not using IPv6 so this was quite surprising to see.  Could this be part of our problem?  I'd love for you see the logs I captured but I am hesitant to post them here.

John

Hi John,

Looking at logs would be helpful. I just sent you a message. Let me know if you received it.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

I did receive it and replied.  Hopefully you got my reply. :)

Hello Kanwal,

Since we last communicated, I was able to open a TAC case on this issue.

However, TAC advised that everything is working as it should and that the problem lies with the Windows 7 client in not issuing any new DHCP requests after the WLC changes the VLAN assignment for that client.  They also offered absolutely no guidance whatsoever about what actions I should take on the client to get this to work, citing that Windows 7 is not a Cisco client.

Although I was relieved to hear that my configuration was correct, I was quite disappointed to hear that they could not help any further.

I've seen other configuration example documents on the Cisco site where instructions are given as to who to configure Windows to operate in the example, so I am shocked that TAC was unwilling to point me to a similar type document.

Thanks again with your help previous to this.

Cheers,

John

Hi John,

One more thing- I am sure you have already looked at it but just mentioning it. From the same doc that you have pasted above.

Note: In order for the RADIUS server to dynamically assign the client to a specific VLAN, it is required that the VLAN-ID configured under the IETF 81 (Tunnel-Private-Group-ID) field of the RADIUS server exist on the WLC.

Also, we can take "debug radius" on WLC/Switch as well to see what attributes are sent by ACS and if they are correct or not.

Hope this helps!

Regards,

Kanwal

Note: Please mark answers if they are helpful.