Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
4
Replies

Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

Pete89
Level 2
Level 2

‎02-21-2014 08:17 AM - edited ‎07-05-2021 12:15 AM

Hello,

What we are trying to do:

John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.

We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0

We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.

Here is what we are seeing

1. dynamic vlan assignment is not working -- radius server is set with the attributes

2. RSA authentication works

3. John and Mary are always put into the VLAN where the MGMT interface is

4. I can see that attributes are making it back to the WLC by sniffing

We are stuck at this point. Any help would be much appreciated,

P.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎02-21-2014 08:31 AM

what attribute is being sent back for 81? the VLAN ID, or the interface name?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Pete89
Level 2
Level 2
In response to Stephen Rodriguez

‎02-21-2014 09:33 AM

Here is a little more background:

  • We have created a dynamic interface in VLAN 157
  • Wireless LAN has been assigned to MGMT interface which is on VLAN 35
  • This is a VWLC ver 7.4.100
  • AP is attached to VWLC (only FlexConnect mode is supported)
  • RADIUS Server has been configured
  • Users are getting assigned to VLAN 35

Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes

  1. I dont see any atttributes in the capture when RSA sends to the VWLC
  2. I see attributes in the capture when RSA send to my local RADIUS Client (My PC)

And to answer your question we have sending a VLAN ID (157)

15376449-VWLC.pcap.zip
15376427-NTRadPING.pcap.zip
15376450-VWLC Screen Shots.zip
0 Helpful

Pete89
Level 2
Level 2
In response to Pete89

‎02-24-2014 02:13 PM

Just an update for this.

It seems any RADIUS server we try this with, we get the same result:

We dont see the right attributes in the Accept-Accept packet from the RADIUS server. The attibutes we see are:

AVP: l=121  t=Class(25): 53425232434cede1d29dcc9cbe83afc01180640180048199...

AVP: l=6  t=EAP-Message(79) Last Segment[1]

AVP: l=58  t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=58  t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=18  t=Message-Authenticator(80): 4e3595aa45b1c0fab2ebd4ae8db98a2e

So now I am starting to think it might be the way the controller is negociating the request. Like I said, we get the same result when we use RSA or Free RADIUS

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to Pete89

‎02-27-2014 08:19 AM

When doing Dynamic VLAN Assignemt with FlexConnect, you have to create a VLAN mapping at the AP, and allow AAA Override in the WLAN.  Take a look at this guide that Vinay posted.

https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/tags/flexconnect_vlan_override

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card