cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9784
Views
0
Helpful
14
Replies

Aironet AP's 802.1x assigned VLAN's?

grahamroque
Level 1
Level 1

Hi all,

I was wondering does CISCO sell any standalone access-points that supports 802.1x assigned VLAN(s)? Basically I want to create one SSID (ie: GCORP) and have all users connect to that SSID for wireless connectivity. So if Joe connects to GCORP and he is part of Marketing he will get tagged with a VLAN ID 10 and if Jane from Sales connects she will get tagged with VLAN ID 20. I am trying to avoid multiple SSID's per VLAN is there any possible way to do this with a standalone access point?

Thanks for the replies

Cheers

14 Replies 14

jim.wenszell
Level 1
Level 1

I am trying to accomplish the same thing...

I purchased an Aironet 1252...

It is supposed to be able to allow multiple SSIDs over the wireless...

but I have not as yet been able to get it to work.

I am working with a single 1252 using IOS based.

I will reply with the config...

If / when I get it working.

Michael Adler
Cisco Employee
Cisco Employee

Yes, Cisco stand alone or autonomous APs do support VLAN assignment per SSID. You can create up to 16 SSIDs and assigned them to VLANs.

Also we support 802.1x assigned VLAN, but for that you would need additional RADIUS server like Cisco ACS where users san be assigned to a specific SSID/VLAN based on their authentication credentials.

Mike

Thanks for the reply Miadler,

I just want to verify that one more time. I am using Microsoft IAS as my Radius server. I got 802.1x dynamic VLAN(s) to work with my Catalyst 2950 it works like a charm! now I am planning on purchasing a Aironet 1231G create a hotspot and call it G networks and enable dot1x dynamic VLAN(s) on that.

I googled this topic before posting on this discussion board the only results I come up with in regards to dot1x wireless VLAN(s) is by purchasing a wireless network controller (WLC2006). Now I dont have 1000$ to blow and I only need 2 access points. I just want to know can a Aironet 1200 series access point handle dynamic VLAN(s) without a network controller?

Thanks Miadler

You can setup autonomous AP with 802.1x authntication and VLANs or you can also get a small 526 controller that supports up to 12AP and have basically most functionality as on the 2100 or 4400 series controllers and get the Dynamic VLAN functionality.

Mike

Thanks Miadler,

So to configure dynamic VLAN(s) I need a Cisco WLAN controller I can't buy a standalone aironet 1231G and configure dynamic VLAN(s)? The thing is my office only needs one access point I am cool with spending 400 dollars for an aironet but not 2000ish for a complete wireless solution with only one AP. I know the HP wireless access point have this feature since we are talking about Csco I thought that a Cisco aironet product would out perform an HP access point.

betacomsvc
Level 1
Level 1

so the final answer for the original question (assigning dynamic VLANs through Radius to the standalone AP) is still not given ... is it possible or not?

from my tests it seems it is not possible despite the fact that the proper parameters are returned back in the radius access-accept message.

Hi Betacomsvc,

I got the Radius Assigned VLAN(s) to work without any problems using a standalone access point. Unfortunatley I lost the configuration but you need to upgrade the firmware (I would Google it) and then just follow the procedures.

I got it working a couple of months ago. I sold my access point and lost all my configuration but trust me it CAN be done! 

betacomsvc
Level 1
Level 1

Hi Graham,

Well .. my config is not very complicated. I am able to do everything - I mean ... connect to the every possible SSID network advertised by my AP (1121G) {MBSSID is used) but the only thing which is not working is vlan assignment. As I wrote before, user is properly authenticated through a policy on IAS, the correct attributes are returned back by IAS (tunnel-*) but the vlan is not assigned to the user.

I tried to add "aaa authorization network default group radius" to the AP config (that part is not even mentioned in the config guide of the AP's software) but with no luck. I am using 123-8.JEC3.

cheers,

bsvc

betacomsvc
Level 1
Level 1

Graham,

In my networking environment dynamic vlan assignement also works very well for the wired network. MS IAS is doing its job very well. For the wireless network situation is different. The correct attributes are returned but the AP doesn't enforce the policy and it doesn't assign VLANs dynamically to the user (who is sucessfully authenticated).

  • IETF 64 (Tunnel Type)—Set this to VLAN.

  • IETF 65 (Tunnel Medium Type)—Set this to 802

  • IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.

The above are the only attributes IAS is returning back to AP (in the access-accept message). The strange behaviour I saw was the fact that I had to set VLAN ID as a hex value in the IAS (if it is set as a string then AP is having problem and the user is not getting IP at all).

Can you remember the same issue on your IAS? How did your AP config looked like in relation to aaa? Did you set aaa authorization network?

What about aaa authentication dot1x?

cheers,

bsvc

Hi I attached my config below I am using firmware c1200-k9w7-mx.123-8.JEB.

I haven't got the time to clean up the configuration but this is how it works. When from different VLAN(s) log into the SSID: Wireless they get tagged with their appropriate VLAN10. IE When a user from VLAN10 authenticates to the wireless SSID he/she will get tagged with a VLAN ID of 10 and then re-assigns her to the SSID: VLAN10, which is not broadcasted.

I am sure you can do this configuration with only the SSID: Wireless VLAN and not have any other VLAN(s) behind it but I haven't got the time to clean up my configuration.

On this setup I used a Cisco 1231 series AP, 2950 switch and a 2621 router. The AP is connected to port 23 on the switch, which is configured as a trunk port and the Radius server connects to port 17 on the switch and belongs to the server VLAN.

I am using Microsoft IAS as my Radius server.

I hope this helps.

Cheers

“Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main  This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.”

HI Graham,

Thank you for your reply. The only thing I don't understand are these sentences:

"When from different VLAN(s) log into the SSID: Wireless they get tagged with their appropriate VLAN10. IE When a user from VLAN10 authenticates to the wireless SSID he/she will get tagged with a VLAN ID of 10 and then re-assigns her to the SSID: VLAN10, which is not broadcasted."

According to your config SSID Wireless is Vlan62. This SSID is the only one which is visible (mbssid guest-mode). Based on that I think your words should be written like this:

"When from different VLAN(s) log into the SSID: Wireless at first they get tagged with SSID 62 (static mapping on the AP). So when a user from VLAN10 authenticates to the Wireless SSID he/she will get tagged with a VLAN ID of 62 (at first) and then (after successful authentication and authorization) re-assigns her to the SSID: VLAN10, which is not broadcasted."

Is my understanding of your last post correct?

cheers,

bsvc

DJGunni86
Level 1
Level 1

I am so close to getting this working....

My MS RADIUS is supplying my 1240 APs with a string value that matches a

dot11 vlan-name

and i can see with wireshark, SPAN sessions and such that when my client broadcasts for an address the request is received by my 3560 switch running as a dhcp server on the correct interface vlan.

and the switch replies, and sends the reply out the interface where my AP is connected via a trunk interface, but the reply never reaches my client..

I feel this is a misconfiguration on the AP and feel i am extremely close..

same happens if i assign an address statically to client and ping the switch's vlan interface ip, l3 switch receives arp request, sends response out interface to AP, client never receives response..

here's my APs configuration:

DJGunni86
Level 1
Level 1

TADA! after dumping mbssid my config worked

that is no mbssid under int dot11r0 and no mbssid guest-mode

so only one visible ssid.

According to the guy who pointed me in this direction he mentioned that this was for some reason a 'known' incompatibility issue. Which is interesting given that it is completely impossible to find a step-by-step or guide of some sort for IBNS with autonomous cisco APs on cisco's site, let alone anywhere at all.......

Review Cisco Networking for a $25 gift card