10-16-2020 09:38 AM - edited 07-05-2021 12:39 PM
I'm currently busy with a deployment of a Centralized 9800-40 WLC that will be managing FlexConnect APs at branch offices.
I have configured a WLAN, Policy, FlexConnect Policy , Policy Tag and Site Tag. The client is use a RADIUS Server to allocate VLAN IDs after authentication. When security is disabled and the we define a VLAN in the Access Policy the clients can see and connect to the SSID. When We enable Dot1X and select the "default" VLAN under Access Policies we cannot see the SSID. When we assign the Management VLAN to the the Access Policies the client can see the SSID but the aaa override function does not work and the client remain in the Management VLAN. We are running 16.12.2 at the moment. Has anybody else experinced a similar problem?
Solved! Go to Solution.
10-22-2020 04:48 AM
I Guess we need to configure something like a Quarantine VLAN then assign the clients to the Quarantine VLAN until they have successfully authenticate. Thank you for the support.
10-16-2020 09:47 AM
Have the VLANs been configured on the 9800, under Configuration > Layer2 > VLAN?
If not, it would be exactly this behavior.
10-16-2020 09:50 AM
The WLCs are deployed in a central DC so the only VLAN configured is the Management VLAN. We configured the VLANs in the Flex Policy under the VLANs tab because we want to use local switching
10-16-2020 10:02 AM
Sorry I missed the locally switched part.
So you have:
And after all that, if you configured a VLAN other that the 9800 management VLAN on your Policy Profile, the SSID is not broadcasted on your APs?
If it is, I will try to replicate on my 9800 here. I'm running version 16.12.3.
10-16-2020 10:36 AM
10-16-2020 10:39 AM
The SSID only disappear when we assign the "default" vlan under the access policy of the policy profile because we want the RADIUS attribute to assign the correct vlan
10-16-2020 12:50 PM
some more info
We have 5 clients connected and authenticated. 4 received the correct IP one did not get an IP which might be client related.
10-17-2020 08:18 AM
10-17-2020 06:57 AM - edited 10-17-2020 06:58 AM
I have observed the same behaviour here. If I configure a VLAN on the Policy Profile that is not existing on the remote AP, thanks to the Flex Profile, then the SSID is not broadcasted.
So it seems that the VLAN on the Policy Profile must be one configured on the Flex Profile for it to work.
I've encountered no problem with the clients I connected. They have pulled IP addresses on the VLAN returned by the RADIUS server each time. When no VLAN attribute is returned, then the client is placed on the VLAN configured on the Policy Profile.
But as you got 4 clients working out of 5, maybe it is a client issue as you suggested.
10-22-2020 04:48 AM
I Guess we need to configure something like a Quarantine VLAN then assign the clients to the Quarantine VLAN until they have successfully authenticate. Thank you for the support.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: