I'm having problems getting the Radius server to assign VLAN for clients while at the same time doing iPSK. iPSK works but the AP seems to ignore the VLAN assignment.
Hardware is C9120AXI-E using version 17.6.1.0.250 (controller) and 17.6.1.13 (AP). I'm using FreeRADIUS 3.0.13. The AP is connected using a trunk with VLANs 10 and 500, and native VLAN 5. The SSID is configured to use VLAN 500 but I try to change it to VLAN 10 using Radius.
Radius conf for the user:
'<client MAC>' Cleartext-password := '<client MAC>'
User-Name = "Foo Bar",
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 10,
Cisco-AVPair = "psk-mode=ascii",
Cisco-AVPair += "psk=HelloWorld"
# Cisco-AVPair += "vlan-id=10",
# Cisco-AVPair += "role=vlan10"
Radius debug looks like this:
(43) Received Access-Request Id 144 from 10.0.5.50:56397 to 10.0.5.5:1812 length 406
(43) User-Name = "<client MAC>"
(43) User-Password = "<client MAC>"
(43) Service-Type = Call-Check
(43) Cisco-AVPair = "service-type=Call Check"
(43) Framed-MTU = 1485
(43) Message-Authenticator = <authenticator>
(43) Cisco-AVPair = "audit-session-id=<session ID>"
(43) Cisco-AVPair = "method=mab"
(43) Cisco-AVPair = "client-iif-id=3187675497"
(43) Cisco-AVPair = "vlan-id=500"
(43) NAS-IP-Address = 10.0.5.50
(43) NAS-Port-Id = "capwap_90000004"
(43) NAS-Port-Type = Wireless-802.11
(43) NAS-Port = 5
(43) Cisco-AVPair = "cisco-wlan-ssid=Mybeta test"
(43) Cisco-AVPair = "wlan-profile-name=wlan-mybeta"
(43) Called-Station-Id = "<Radio MAC>:Mybeta test"
(43) Calling-Station-Id = "<Client MAC>"
(43) Airespace-Wlan-Id = 2
(43) NAS-Identifier = "ap"
(43) # Executing section authorize from file /etc/raddb/radiusd.conf
(43) authorize {
(43) files: users: Matched entry (client MAC) at line 1
(43) [files] = ok
(43) [pap] = updated
(43) } # authorize = updated
(43) Found Auth-Type = PAP
(43) # Executing group from file /etc/raddb/radiusd.conf
(43) Auth-Type PAP {
(43) pap: Login attempt with password
(43) pap: Comparing with "known good" Cleartext-Password
(43) pap: User authenticated successfully
(43) [pap] = ok
(43) } # Auth-Type PAP = ok
(43) Sent Access-Accept Id 144 from 10.0.5.5:1812 to 10.0.5.50:56397 length 0
(43) User-Name = "Foo Bar"
(43) Tunnel-Type = VLAN
(43) Tunnel-Medium-Type = IEEE-802
(43) Tunnel-Private-Group-Id = "10"
(43) Cisco-AVPair = "psk-mode=ascii"
(43) Cisco-AVPair = "psk=HelloWorld"
(43) Finished request
iPSK works fine, the client needs to login using the password set in Radius. But the client gets connected to VLAN 500, not VLAN 10 as specified by Radius.
Checking the status of the client in the CLI gives:
ap#show wireless client mac-address <client MAC> detail
Client MAC Address : <client MAC>
Client MAC Type : Universally Administered Address
Client DUID: NA
Client IPv4 Address : 10.5.0.237
Client IPv6 Addresses : fe80::8f6:b7d3:d328:9437
Client Username : Foo Bar
AP MAC Address : <AP MAC>
AP Name: ap1
AP slot : 1
Client State : Associated
Policy Profile : policy-profile-mybeta
Ipsk Tag : <tag hex>
Flex Profile : default-flex-profile
Wireless LAN Id: 2
WLAN Profile Name: wlan-mybeta
Wireless LAN Network Name (SSID): Mybeta test
BSSID : <BSSID>
Connected For : 357 seconds
Protocol : 802.11ac
Channel : 100
Client IIF-ID : 0x90000005
Association Id : 1
Authentication Algorithm : Open System
Idle state timeout : N/A
Session Timeout : 1800 sec (Remaining time: 1444 sec)
Session Warning Time : Timer not running
Input Policy Name : None
Input Policy State : None
Input Policy Source : None
Output Policy Name : None
Output Policy State : None
Output Policy Source : None
WMM Support : Enabled
U-APSD Support : Disabled
Fastlane Support : Enabled
Client Active State : Active
Power Save : ON
Current Rate : m9 ss2
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
AAA QoS Rate Limit Parameters:
QoS Average Data Rate Upstream : 0 (kbps)
QoS Realtime Average Data Rate Upstream : 0 (kbps)
QoS Burst Data Rate Upstream : 0 (kbps)
QoS Realtime Burst Data Rate Upstream : 0 (kbps)
QoS Average Data Rate Downstream : 0 (kbps)
QoS Realtime Average Data Rate Downstream : 0 (kbps)
QoS Burst Data Rate Downstream : 0 (kbps)
QoS Realtime Burst Data Rate Downstream : 0 (kbps)
Mobility:
Move Count : 0
Mobility Role : Local
Mobility Roam Type : None
Mobility Complete Timestamp : 08/09/2021 13:15:51 UTC
Client Join Time:
Join Time Of Client : 08/09/2021 13:15:51 UTC
Client State Servers : None
Client ACLs : None
Policy Manager State: Run
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 357 seconds
Policy Type : WPA2
Encryption Cipher : CCMP (AES)
Authentication Key Management : PSK
AAA override passphrase : Yes
User Defined (Private) Network : Disabled
User Defined (Private) Network Drop Unicast : Disabled
Encrypted Traffic Analytics : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
VLAN Override after Webauth : No
VLAN : 500
Multicast VLAN : 0
WiFi Direct Capabilities:
WiFi Direct Capable : No
Central NAT : DISABLED
Session Manager:
Point of Attachment : capwap_90000004
IIF ID : 0x90000004
Authorized : TRUE
Session timeout : 1800
Common Session ID: 3205000A000000412B0E22E4
Acct Session ID : 0x00000030
Last Tried Aaa Server Details:
Server IP : 10.0.5.5
Auth Method Status List
Method : MAB
SM State : TERMINATE
Authen Status : Success
Local Policies:
Service Template : wlan_svc_policy-profile-mybeta (priority 254)
Absolute-Timer : 1800
Server Policies:
VLAN : 10
Resultant Policies:
VLAN : 10
Absolute-Timer : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 0
Fast BSS Transition Details :
Reassociation Timeout : 20
11v BSS Transition : Implemented
11v DMS Capable : Yes
11v DMS ID Mask : 0x0
QoS Map Capable : No
FlexConnect Data Switching : Local
FlexConnect Dhcp Status : Local
FlexConnect Authentication : Central
Client Statistics:
Number of Bytes Received from Client : 33810
Number of Bytes Sent to Client : 31889
Number of Packets Received from Client : 194
Number of Packets Sent to Client : 128
Number of Policy Errors : 0
Radio Signal Strength Indicator : -40 dBm
Signal to Noise Ratio : 54 dB
Fabric status : Disabled
Radio Measurement Enabled Capabilities
Capabilities: Passive Beacon Measurement, Active Beacon Measurement, Statistics Measurement, AP Channel Report
Client Scan Report Time : Timer not running
Client Scan Reports
Assisted Roaming Neighbor List
Nearby AP Statistics:
EoGRE : Pending Classification
Device Classification Information:
Device Type : Apple-Device
Device Name : APPLE, INC.
Protocol Map : 0x000001 (OUI)
Max Client Protocol Capability: 802.11ac Wave 2
WiFi to Cellular Steering : Not implemented
Cellular Capability : N/A
Advanced Scheduling Requests Details:
Apple Specific Requests(ASR) Capabilities/Statistics:
Regular ASR support: DISABLED
ap#
If I try connecting without assigning a VLAN on the Radius server, the Session Manager section above changes to this:
Local Policies:
Service Template : wlan_svc_policy-profile-mybeta (priority 254)
VLAN : 500
Absolute-Timer : 1800
Server Policies:
Resultant Policies:
VLAN : 500
Absolute-Timer : 1800
No mention of VLAN 10 this time. So it seems that the AP is picking up the VLAN info from Radius but it doesn't change the VLAN of the client.
If I assign the SSID to VLAN 10, the client gets connected to VLAN 10.
If I assign the SSID to VLAN 500, the client gets connected to VLAN 500.
If I assign the SSID to VLAN 500 and let Radius assign the client to VLAN 10, the client still gets connected to VLAN 500. The VLAN assignment from Radius doesn't work.
I've also tried letting Radius assign a role to the client, and include VLAN 10 in the definition of the role. This produces the same result, I can see in the details that the client has been assigned the role but it's still connected to VLAN 500.
Why is this not working? What have I missed?
