05-30-2013 12:35 AM - edited 07-04-2021 12:09 AM
Hi,
I want to setup a wlan environment with peap.
When the remote user is successfully authenticated to a radius, the radius returns a vlan name.
on the remote sites the vlan id differs. I need to match the vlan name to the vlan id on the remote location.
Second part. The vlan should only "live" on a couple of LWAPP's, not on all sites, no on all LWAPP's of the location.
Example
Site A : SSID test
Radius returns test_vlan
vlanid location A : 50
ip range: 10.1.1.0 / 24
scope locally defined on site router A
Site B: SSID test
Radius returns test_vlan
vlanid location A : 70
ip range 10.5.5.0/24
scope locally defined on site router B
Anyone an idea?
05-30-2013 01:11 AM
You're after a feature called "Flex Connect" (previously "H-REAP"). The only bit I'm not 100% sure about is where RADIUS returns "test vlan" and the AP translates that to it's local VLAN number. Have a look in to it though, you can probably find a clever way around it...
05-30-2013 04:44 AM
The flexconnect feature is working, you can link a vlan to SSID an rewrite it when logged on.
The thing I'm looking for is the anwser from radius allows for rewriting to the vlan name specified in the radius request.
I think it could work because the radius attribute is supported by WLC.
http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml#s3
Supported RADIUS Attriubutes on the Wireless LAN Controller
RADIUS attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. This section lists the RADIUS attributes currently supported on the Wireless LAN Controller.
05-30-2013 05:41 AM
What you've found is all true and correct, it's just not the correct context... That is for VLANs presented at the WLC as opposed to VLANs presented at the AP. The limitation is that the AP only knows about VLAN numbers and not VLAN names, which is what's causing the problem.
The only possible way around this I can think of is to see if you can identify an attribute that is sent to your RADIUS Server by the WLC that allows you to know which site the User (or rather, the AP) is at... You could try changing the Called-Station ID type on the WLC to something like "AP Group"or "AP Location" (Under the "Security > RADIUS Authentication" page in the WLC) and seeing if your RADIUS server can return the appropriate VLAN ID based on that. I've never done this myself but it should work, certainly with ACS 5 / ISE type products it should anyway..
Richard
05-30-2013 05:48 AM
PS - Just so we're clear, what I think you need to do is;
On your WLC;
Change the RADIUS Called-Station ID Type to "AP Location" (on the "Security > RADIUS Authentication" page)
Configure your APs with "SiteA" and "SiteB" as their location (on the "Wireless > [Your Access Point]" page)
On your RADIUS server;
If "RADIUS Called-Station-ID contains "SiteA"; return VLAN 50
If "RADIUS Called-Station-ID contains "SiteB"; return VLAN 70
Else If [Valid User], return "Access-Accept" and the AP will dump the User in whatever the default VLAN is for that particular FlexConnect AP/SSID.
Richard
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: