Re: Cisco WAP371 with Dynamic VLANs

larry.olson@state.mn.us · ‎02-04-2019

Not sure if this is possible but we are currently running 5 WAP371's in cluster setup mode, using 802.1x and a Microsoft NPS/Radius server the laptops currently connect fine to a single VLAN. we are now trying to segment the users and use Dynamic VLANS. I added a new policy with IETF 64 (Tunnel Type)—Set this to VLAN, IETF 65 (Tunnel Medium Type)—Set this to 802 and IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID. to the RADIUS server however it never gets a DHCP address for the second VLAN. other computers connecting to the original VLAN still get an address and work. I see from the NPS/Radius logs they are hitting the right policy to get the VLAN assigned and the port on the WAP is trunked. I see in the WAP manual it references this in the VAP configuration "use a RADIUS server to assign a wireless client to a VLAN" So it sounds like you can do it. Am I missing something or can it not be done?

Haydn Andrews · ‎02-04-2019

Take it a few things are configured:

VLANs are available to the ports required and trunked through the network, and SVIs have DHCP server local to VLAN or IP Helper.

From the WLAN you have AAA override enabled and the VLAN details coming back are mapped correct.

Good reference document on Dynamic VLAN assignment for wireless here: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/71683-dynamicvlan-config.html#backinfo

If you under the client, is it showing it being assigned to the correct VLAN? If it is being assigned to the correct VLAN, then you will need to make sure that that VLAN can reach the DHCP server.

If you do not have DHCP required, does the client work if you set a manual IP in that VLAN and ping its default gateway and off subnet? If so can you ping the DHCP server?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***