cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
298
Views
0
Helpful
1
Replies
Highlighted
Beginner

Clients with vlan privs can't roam

I changed my two Cisco Aironet 1401 APs to roam but now I have an issue with people who get put onto specific vlans.

The main WDS AP will has no issues putting people onto specific Vlans, but the 2nd AP is unable to do this now.

This is the error message I get, "Vlan id 27 from Radius server is not configured for station 28cf.dae3.4f16"

This is the config for AP1:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cldap01

!

logging userinfo

logging buffered notifications

logging rate-limit console 9

logging console warnings

enable secret 5 <secret>.

!

aaa new-model

!

aaa group server radius rad_eap

server 10.12.10.4 auth-port 1812 acct-port 1813

!

aaa group server radius FreeRadius

server 10.12.10.4 auth-port 1812 acct-port 1813

!

aaa authentication login method_FreeRadius group FreeRadius

aaa authentication ppp default group radius

aaa authorization network default group rad_eap

aaa accounting update periodic 60

aaa accounting network default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa session-id common

ip domain <domain>

!

dot11 syslog

dot11 vlan-name pwifi vlan 27

dot11 vlan-name wifi vlan 22

!

dot11 ssid <ssid>

   vlan 22

   authentication open eap rad_eap

   authentication network-eap eap

   authentication key-management wpa version 2

   guest-mode

!

crypto pki trustpoint TP-self-signed-1212998699

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1212998699

revocation-check none

rsakeypair TP-self-signed-1212998699

!

crypto pki certificate chain TP-self-signed-1212998699

certificate self-signed 01

<crypto>

  quit

!username Cisco privilege 15 password <removed>

username admin privilege 15 secret 5 <secret>

!username rancid password <removed>

!

ip ssh logging events

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 22 mode ciphers aes-ccm

!

encryption vlan 27 mode ciphers aes-ccm

!

broadcast-key vlan 22 change 300

!

broadcast-key vlan 27 change 300

!

!

ssid <ssid>

!

antenna gain 100

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

packet retries 100

channel 2412

station-role root access-point

rts retries 100

infrastructure-client

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio0.27

encapsulation dot1Q 27

no ip route-cache

bridge-group 27

bridge-group 27 subscriber-loop-control

bridge-group 27 block-unknown-source

no bridge-group 27 source-learning

no bridge-group 27 unicast-flooding

bridge-group 27 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex full

speed auto

no keepalive

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0.27

encapsulation dot1Q 27

no ip route-cache

bridge-group 27

no bridge-group 27 source-learning

bridge-group 27 spanning-disabled

!

interface BVI1

ip address 10.12.0.10 255.255.255.0

no ip route-cache

!

ip default-gateway 10.12.0.2

no ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 111 permit tcp any any neq telnet

snmp-server community ORVjkPtki8q RO

snmp-server location Solana Beach, California, USA

snmp-server contact OneRecovery NOC - <email>

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server host 10.12.10.3 ORVjkPtki8q

radius-server attribute 32 include-in-access-req format %i

radius-server attribute list 64

!

!radius-server host 10.12.10.4 auth-port 1812 acct-port 1813 key <removed>

!radius-server key <removed>

bridge 1 route ip

!

wlccp authentication-server infrastructure method_FreeRadius

wlccp wds priority 255 interface BVI1

!

line con 0

access-class 111 in

line vty 0 4

access-class 111 in

!

sntp server 10.12.10.4

end

This is the config for AP2:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cldap2

!

logging rate-limit console 9

enable secret 5 <secret>

!

aaa new-model

!

aaa group server radius rad_eap

server 10.12.10.4 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication ppp default group radius

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa accounting system default start-stop group radius

!

aaa session-id common

clock timezone -0800 -8

ip domain name onerecovery.net

!

dot11 syslog

dot11 vlan-name test2 vlan 22

!

dot11 ssid <ssid>

   vlan 22

   authentication open eap rad_eap

   authentication key-management wpa version 2

   mbssid guest-mode

!

crypto pki trustpoint TP-self-signed-1224361256

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1224361256

revocation-check none

rsakeypair TP-self-signed-1224361256

!

crypto pki certificate chain TP-self-signed-1224361256

certificate self-signed 01

<crypto>

  quit

!username Cisco privilege 15 password <removed>

username admin privilege 15 secret 5 <secret>

!username rancid password <removed>

!

ip ssh logging events

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 22 mode ciphers aes-ccm

!

broadcast-key vlan 22 change 60

!

!

ssid <ssid>

!

antenna gain 100

mbssid

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel 2462

station-role root access-point

infrastructure-client

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex full

speed auto

no keepalive

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

ip address 10.12.0.11 255.255.255.0

no ip route-cache

!

ip default-gateway 10.12.0.2

no ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 111 permit tcp any any neq telnet

snmp-server community ORVjkPtki8q RO

snmp-server location Solana Beach, California, USA

snmp-server contact OneRecovery NOC - noc@onerecovery.com

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server host 10.12.10.3 ORVjkPtki8q

radius-server attribute 32 include-in-access-req format %h

!radius-server host 10.12.10.4 auth-port 1812 acct-port 1813 key <removed>

radius-server vsa send accounting

bridge 1 route ip

!

!wlccp ap username cldap2 password <removed>

wlccp ap wds ip address 10.12.0.10

!

line con 0

access-class 111 in

line vty 0 4

access-class 111 in

!

sntp server 10.12.10.4

sntp broadcast client

end

Everyone's tags (2)
1 REPLY 1
Highlighted
Hall of Fame Master

Re: Clients with vlan privs can't roam

It's been a long time since I have done this, but AP 2 has no sub interface on vlan 27. What happens if you add vlan 27 on AP 2?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Content for Community-Ad