Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2244
Views
0
Helpful
2
Replies

AAA VLAN assignment per FlexGroup with VLAN name

mtsankova
Frequent Visitor
Frequent Visitor

‎04-11-2017 06:29 AM - edited ‎07-05-2021 06:50 AM

Hello, I have a topology with a virtual WLC (installed on virtual machine) with APs in Flex connect mode. Also I had configured one SSID with authentication to a microsoft radius server (where depending on the account from the active directory the user is assigned to a specific vlan). The problem is when in the radius server return vlan name, then all the clients are add to the default vlan. Then I get an error:

TLV-DEC-ERR: can not process TLV for TLV_FLEX_VLAN_NAME_ID_MAPPING_PAYLOAD (591/0)
TLV-DEC-ERR: No CB for TLV_FLEX_VLAN_NAME_ID_MAPPING_PAYLOAD (591)


Is there a fix to this problem?

When the Radius server return vlan id everiting is working fine, and the clients are add to the specific vlan.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

William Kuczmera
Level 4
Level 4

‎04-11-2017 09:42 AM

What you are trying to do is called AAA override. Where our AAA server is dictating or overriding our VLAN assignment. 

Sounds like your Radius server is returning the attribute but your AP may not be aware of the VLAN in question. 

Guidelines and Limitations
• VLAN overrides for FlexConnect is applicable for both centrally and locally authenticated clients.
Before configuring an AAA override, the VLAN must be created on the access points. These
VLANs can be created on the access points by using the existing WLAN-VLAN mappings.
• VLANs can be configured on FlexConnect groups. VLANs are pushed to the access points
belonging to the FlexConnect group.
• At any given point, an AP has a maximum of 16 VLANs. The VLANs are selected based on the
WLAN-VLAN mapping in the AP . The remaining VLANs will be pushed from the Flexconnect
group in the order that they are configured/shown in the Flexconnect group. If the VLAN slots are
full, an error message is logged.
• If the VLAN on the AP is configured using the WLAN-VLAN, the AP configuration of the ACL is
applied.
• If the VLAN is configured using the FlexConnect group, the ACL configured on the FlexConnect
group is applied.
• If the same VLAN is configured on the FlexConnect group and also at the AP, the AP configuration
with its ACL takes precedence.
• If there is no slot for a new VLAN from the WLAN-VLAN mapping, the latest FlexConnect group
VLAN is replaced.
• If the VLAN that was returned from the AAA is not present on the AP, the client falls back to the
default VLAN configured for the WLAN.
• AAA for locally switched clients only supports VLAN overrides.
AAA Override for FlexConnect is supported through IETF parameters in the ACS. The following
parameters must be configured with the specified values as defined below for a user:
– [064] Tunnel-Type : Tag 1 value VLAN
– [065] Tunnel-Medium Type : Tag1 value 802
– [081] Tunnel-Private-Group-ID : Tag1 value : Overridden VLAN ID.
• Dynamic VLAN assignment is not supported for web authentication from a controller with ACS.

Hope this helps. Its available in the config guide. 

0 Helpful

smartitbg
Frequent Visitor
Frequent Visitor
In response to William Kuczmera

‎06-20-2017 02:26 AM

Hello, William

"Sounds like your Radius server is returning the attribute but your AP may not be aware of the VLAN in question."

The VLAN is configured on the AP via FlexConnect Group. Also FlexConnect VLAN Template is configured.

The problem only exists, when RADIUS server is configured to return VLAN NAME instead of VLAN ID and when AP is on FlexConnect mode with Central Switching (in this case AAA override works with VLAN NAME), but when the AP lost connection to the WLC (and starts to authenticate locally), then the AP is not aware of the VLAN name to ID mapping, therefore it puts the client on the default VLAN.

These errors are shown, when AP is joining to the FlexConnect Group initially, configured with FlexConnect VLAN Template. I think this is the main reason, AP not to be aware of VLAN name to ID mapping, therefore it can't override the VLAN when authenticate users by itself (Local Auth).

We use VLAN IDs, instead of VLAN NAMES for 'Tunnel-Private-Group-ID' attribute as workaround for this issue. 

TLV-DEC-ERR: can not process TLV for TLV_FLEX_VLAN_NAME_ID_MAPPING_PAYLOAD (591/0)
TLV-DEC-ERR: No CB for TLV_FLEX_VLAN_NAME_ID_MAPPING_PAYLOAD (591)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card