HI,I am not sure if this is

saul alonso ramos · ‎11-19-2014

Hi,

I'm building a lab with WLC4404 and freeradius + daloradius gui.

WLC can comunicate with the freeradius but my problem is that the users can login and no matter in which SSID they connect they get in.

I want to know the way to policy this on the freeradius or the WLC with the AVpairs as every user should remain in a specific SSID.

Thanks,

Sandeep Choudhary · ‎11-19-2014

HI,

I am not sure if this is what you wnat to hear or not!

You can use mac filtering feature on WLC for WLANs.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

Regards

Dont forget to rate helpful posts

saul alonso ramos · ‎11-19-2014

Hi and thanks for your answer,

Unfortunately mac filtering didn´t fit my requirements as the final implementation will be around 100 LAPs and 1000 users (BYOD).

Regards,

saul alonso ramos · ‎11-21-2014

Hi,

Right now the freeradius is passing the ssid value to the WLC but when the user is registered it get moved from the assigned vlan in freeradius to the one that he try to connect.

This is the message of the WLC:

DISCONECT_MOBILE_DUE_TO_WLAN_SW: apf_policy.c:577 Disconnecting mobile #:#:#:#:#:# due to switch of WLANs from 3(STAFF) to 1(STUDENTS)

Is any way to change this WLC behavior so if the assigned WLAN is not the same as the one that the user is trying to connect the WLC reject the connection.

Thanks,

Sandeep Choudhary · ‎11-21-2014

This can be a problem in WLC software.

I don't have any experience with free radius server but if you ISE or ACS then you do it by AAA override option.

May be this doc helps:

http://kb.netgear.com/ci/fattach/get/126/1317294811/redirect/1/session/L2F2LzEvdGltZS8xNDE2NTYxNzc5L3NpZC9hbFF0NVo3bQ==/filename/Dynamic%20VLAN%20Assignment%20using%20RADIUS.pdf

http://serverfault.com/questions/300735/dynamic-vlans-with-freeradius-openldap-cisco-wlc

Regards

saul alonso ramos · ‎11-21-2014

Hi Sandeep,

AAA override is enabled in the WLC and the software version is the 7.0.250 that is the last one for the WLC4404 series.

Regards,

Sandeep Choudhary · ‎11-21-2014

Hi,

Then you must check ur freeRadius server configuration.

Check this doc:

http://freeradius.org/doc/

Regards

saul alonso ramos · ‎12-02-2014

Hi Sandeep,

Finally i managed to implement it but instead enforcing the vlans in the WLC i modified the freeradius config to issue a SSID check against the user group name (for example students) and now is working smoothly.

Thanks,

Sandeep Choudhary · ‎12-02-2014

Hi, great to hear that you got it working.

mostly it always to do with RADuS server because on WLC you just have to mention ip of server.

Regards

Leonardo Pena Aristizabal · ‎05-29-2015

Hola Saul

Te escribo desde Colombia para pedirte ayuda, me podrias indicar como lo hiciste funcionar, que el modificaste a la configuración del freeradius, por ahí leí que hay un parametro DNIS que envia el SSID al cual se debe conectar cada usuario.

Quedo atento, y muchas gracias por tu tiempo.

sobhardw · ‎06-01-2015

Please refer to the below link :

http://serverfault.com/questions/399741/restrict-freeradius-clients-to-access-service-from-different-lans-with-same-user

WLC4400 + FreeRadius Restrict user to a particular SSID