I currently have a WLC 5508 and ACS 5.1, previously the only access policy was default network access with authorization profile permit access.
My users and machines successfully authenticate against radius via AD.
I want to consolidate some SSID’s and use dynamic vlan assignments via radius. I created new vlan, ssid, a service, service selection rule, and authorization profile end station filters, etc, all this works if the authorization profile is set to permit. When I add the profile with the vlan it begins failing. I have used just the vlan profile and the vlan profile and the default permit profile together in both orders.
If I do not enable radius override on the WLC I get message saying radius overrides globally disabled.
One I turn on overrides and use the authorization profile with the vlan I get web auth failed, radius server disabled.
The radius server log shows could not find network resource or AAA client while accessing NAS by ip during authentication.
What am I missing?
You said you had this working before? I have this lab'd out and I know it works. So the thing is, you have the wlc configured as a aaa client in ACS and the shared secret is identical. AAA Overide in the wlc needs to be enabled. Also the vlans that you want to put the users on need to be configured on the wlc. Can you screen shot your WLAN SSID and you ACS policies. Also can you post the failed or passed log in ACS.
Sent from my iPhone
Let me clarify,
When I said previously I meant before I started adding these policies. The default policy still works and my users authenticate to the radius with their AD credentials, but they stay in the vlan of the ssid’s interface.
I want to add an authenticated guest ssid, and consolidate my existing ssids to reduce the number of SSID’s I have. I want to accomplish this with dynamic vlans.
It is the new ssid with a dynamic vlan that does not work. The dhcp switch, interface etc are setup because I can remove the dynamic vlan profile and it will connect to the interface I specify in the WLC config.
I can manually change the WLC Wlan config to associate with the different vlans I want and they all work so there is no issue there.
The issue is dynamically assigning this interface / vlan via AAA.
I will get screen shots an error messages when I get in tomorrow.
I hope this makes the issue a little clearer.
Okay... so your guest ssid,,,, what authentication method are you using. Usally when you consolodate SSID's, it is the internal SSID's and you keep guest seperate. We can wait til tomorrow so I can see how you have the ssid and the ACS configured.
OK while taking screen shots and revving logs to send this moring I discovered the nas ip in the failure log.
On a successful login of my current operations the nas ip is the management ip of the wlc x.x.16.254
On the failed logins with the vlan assignment the nas is the ip of the interfaced assigned to the wlan. In this case x.x.3.5
Once I added 3.5 as an AAA client and the shared key I can successfully authenticate with my test auth profile with vlan assignment.
However I stay in the vlan of the wlan interface, I do not get moved to a new vlan as I should.
I have attached the screen shots. Let me know if there is more info you need.
OK got it working,
I have been using web auth which will not work with dynamic vlans.
i switched my security from webauth to WPA2.
I would prefer webauth for guest because some clients have trouble validating the certificates, but is working.
Thanks for your help.
For guest, they should be using webauth, and not an EAP type. But you would have to lock them down to a particular VLAN when they associated.