cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2444
Views
20
Helpful
9
Replies

9800-40 WLC with FlexConnect, Local Switching, Local Authentication and AAA override does not broadcast SSID

toy.thompson
Level 1
Level 1

I'm currently busy with a deployment of a Centralized 9800-40 WLC that will be managing FlexConnect APs at branch offices.

I have configured a WLAN, Policy, FlexConnect Policy , Policy Tag and Site Tag. The client is use a RADIUS Server to allocate VLAN IDs after authentication. When security is disabled and the we define a VLAN in the Access Policy the clients can see and connect to the SSID. When We enable Dot1X and select the "default" VLAN under Access Policies we cannot see the SSID. When we assign the Management VLAN to the the Access Policies the client can see the SSID but the aaa override function does not work and the client remain in the Management VLAN. We are running 16.12.2 at the moment. Has anybody else experinced a similar problem?

1 Accepted Solution

Accepted Solutions

I Guess we need to configure something like a Quarantine VLAN then assign the clients to the Quarantine VLAN until they have successfully authenticate. Thank you for the support.

View solution in original post

9 Replies 9

Nicolas Poirier
Level 4
Level 4

Have the VLANs been configured on the 9800, under Configuration > Layer2 > VLAN?
If not, it would be exactly this behavior.

9800_VLANs.jpg

The WLCs are deployed in a central DC so the only VLAN configured is the Management VLAN. We configured the VLANs in the Flex Policy under the VLANs tab because we want to use local switching

Nicolas Poirier
Level 4
Level 4

Sorry I missed the locally switched part.
So you have:

  • configure a Flex Profile where you have declared all the VLANs that could be send by the RADIUS server
  • created a Site Tag with the "Enable Local Site' box unchecked
  • assigned your Flex Profile to this Site Tag
  • Configured a Policy Profile with Central Switching and Central DHCP disabled
  • Configured a WLAN Profile
  • Linked your Policy Profile and WLAN Profile in a Policy Tag
  • Assigned the Site tag and Policy Tag to your APs

 

And after all that, if you configured a VLAN other that the 9800 management VLAN on your Policy Profile, the SSID is not broadcasted on your APs?

If it is, I will try to replicate on my 9800 here. I'm running version 16.12.3.

  • configure a Flex Profile where you have declared all the VLANs that could be send by the RADIUS server [yes]
  • created a Site Tag with the "Enable Local Site' box unchecked [yes]
  • assigned your Flex Profile to this Site Tag [yes]
  • Configured a Policy Profile with Central Switching and Central DHCP disabled [yes]
  • Configured a WLAN Profile [yes with aaa-override selected]
  • created a policy profile when I assign the "default" vlan under the access policies user cannot see the SSID when I select the management vlan (2) RADIUS allocate the correct vlan-id attribute (208) but users end up in management vlan and cannot get n IP address because there is no scope created for the management vlan. When I remove dot1x and assign the user vlan id (208) users can connect and get IP from DHCP on the right vlan
  • Linked your Policy Profile and WLAN Profile in a Policy Tag [yes]
  • Assigned the Site tag and Policy Tag to your APs [yes]

The SSID only disappear when we assign the "default" vlan under the access policy of the policy profile because we want the RADIUS attribute to assign the correct vlan

some more info

We have 5 clients connected and authenticated. 4 received the correct IP one did not get an IP which might be client related.

Client1 Properties.PNGClient1 Security Information.PNGClient2 Properties.PNGClient2 Security Information.PNGFlex Profile-Local Auth.PNGFlex Profile-VLAN.PNGPolicy Profile-Access Policies.PNGPolicy Profile-General.PNG

I’m running 9800-CL in my home lab for testing. What I did was create a bogus vlan under the “ Policy Profiles” something like Black-Hole mapped to vlan 999 which is not defined anywhere. Then on the “Policy Tag”, I have the plan mapped to the Black-Hole “Policy Profile”. I don’t have any issues with the SSID not being available. This is the same setup with AireOS, to use a bogus vlan so that clients will not be accidentally mapped to a management or default assigned vlan.
-Scott
*** Please rate helpful posts ***

Nicolas Poirier
Level 4
Level 4

I have observed the same behaviour here. If I configure a VLAN on the Policy Profile that is not existing on the remote AP, thanks to the Flex Profile, then the SSID is not broadcasted.
So it seems that the VLAN on the Policy Profile must be one configured on the Flex Profile for it to work.

I've encountered no problem with the clients I connected. They have pulled IP addresses on the VLAN returned by the RADIUS server each time. When no VLAN attribute is returned, then the client is placed on the VLAN configured on the Policy Profile.
But as you got 4 clients working out of 5, maybe it is a client issue as you suggested.

 

I Guess we need to configure something like a Quarantine VLAN then assign the clients to the Quarantine VLAN until they have successfully authenticate. Thank you for the support.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: