wlc 7600 wlan name to wlan id

jorg.ramakers · ‎05-30-2013

Hi,

I want to setup a wlan environment with peap.

When the remote user is successfully authenticated to a radius, the radius returns a vlan name.

on the remote sites the vlan id differs. I need to match the vlan name to the vlan id on the remote location.

Second part. The vlan should only "live" on a couple of LWAPP's, not on all sites, no on all LWAPP's of the location.

Example

Site A : SSID test

Radius returns test_vlan

vlanid location A : 50

ip range: 10.1.1.0 / 24

scope locally defined on site router A

Site B: SSID test

Radius returns test_vlan

vlanid location A : 70

ip range 10.5.5.0/24

scope locally defined on site router B

Anyone an idea?

Richard Atkin · ‎05-30-2013

You're after a feature called "Flex Connect" (previously "H-REAP"). The only bit I'm not 100% sure about is where RADIUS returns "test vlan" and the AP translates that to it's local VLAN number. Have a look in to it though, you can probably find a clever way around it...

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/flexconnect/config_flexconnect.pdf

jorg.ramakers · ‎05-30-2013

The flexconnect feature is working, you can link a vlan to SSID an rewrite it when logged on.

The thing I'm looking for is the anwser from radius allows for rewriting to the vlan name specified in the radius request.

I think it could work because the radius attribute is supported by WLC.

http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml#s3

Supported RADIUS Attriubutes on the Wireless LAN Controller

RADIUS attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. This section lists the RADIUS attributes currently supported on the Wireless LAN Controller.

Quality of Service—When present in a RADIUS Access Accept, the QoS-Level value overrides the QoS value specified in the WLAN profile.
ACL—When the Access Control List (ACL) attribute is present in the RADIUS Access Accept, the system applies the ACL-Name to the client station after it authenticates. This overrides any ACLs that are assigned to the interface.
VLAN—When a VLAN Interface-Name or VLAN-Tag is present in a RADIUS Access Accept, the system places the client on a specific interface.

Richard Atkin · ‎05-30-2013

What you've found is all true and correct, it's just not the correct context... That is for VLANs presented at the WLC as opposed to VLANs presented at the AP. The limitation is that the AP only knows about VLAN numbers and not VLAN names, which is what's causing the problem.

The only possible way around this I can think of is to see if you can identify an attribute that is sent to your RADIUS Server by the WLC that allows you to know which site the User (or rather, the AP) is at... You could try changing the Called-Station ID type on the WLC to something like "AP Group"or "AP Location" (Under the "Security > RADIUS Authentication" page in the WLC) and seeing if your RADIUS server can return the appropriate VLAN ID based on that. I've never done this myself but it should work, certainly with ACS 5 / ISE type products it should anyway..

Richard

Richard Atkin · ‎05-30-2013

PS - Just so we're clear, what I think you need to do is;

On your WLC;

Change the RADIUS Called-Station ID Type to "AP Location" (on the "Security > RADIUS Authentication" page)

Configure your APs with "SiteA" and "SiteB" as their location (on the "Wireless > [Your Access Point]" page)

On your RADIUS server;

If "RADIUS Called-Station-ID contains "SiteA"; return VLAN 50

If "RADIUS Called-Station-ID contains "SiteB"; return VLAN 70

Else If [Valid User], return "Access-Accept" and the AP will dump the User in whatever the default VLAN is for that particular FlexConnect AP/SSID.

Richard