Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
1
Replies

Cisco WLC5508 Dynamic VLAN assignment error

Mark Massheder
Level 1
Level 1

‎01-15-2015 06:41 AM - edited ‎07-05-2021 02:17 AM

Hi All,

We have a HA (SSO) WLC controller pair in two DC's with the Management Interface managing the AP's. The AP's are located in the Campus LAN and the Campus and DC networks are seperated by a L3 boundary.

The plan is for one of the WLAN's to provide Dynamic VLAN Assignment via radius as a test I wanted to use the existing Management interface to bind to the WLAN, but since working through the following Document ID: 71683 one thing I noticed whilst working through the the document states that "it is required that the VLAN-ID configured under the IETF 81 (Tunnel-Private-Group-ID) field of the RADIUS server exist on the WLC"

If the above statement is true and we don't stretch VLAN's between the Campus LAN and the DC network due to the L3 boundary does this mean that Dynamic VLAN assignment won't be achievable?  When testing a client connection and debugging the result I receive the following:-

*radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a [BE-resp] AAA response 'Success'
*radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a [BE-resp] Returning AAA response
*radiusTransportThread: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA Message 'Success' received for mobile 10:40:f3:84:a2:2a
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[0]: attribute 11, vendorId 0, valueLen 11
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[1]: attribute 64, vendorId 0, valueLen 4
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[2]: attribute 65, vendorId 0, valueLen 4
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[3]: attribute 81, vendorId 0, valueLen 2
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[4]: attribute 8, vendorId 0, valueLen 4
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[5]: attribute 79, vendorId 0, valueLen 40
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a Received EAP Attribute (code=2, length=40,id=64) for mobile 10:40:f3:84:a2:2a
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000000: xxxxxx
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000010: xxxxxx
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 00000020: xxxxxx
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[6]: attribute 1, vendorId 9, valueLen 16
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[7]: attribute 25, vendorId 0, valueLen 25
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a processing avps[8]: attribute 80, vendorId 0, valueLen 16
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA override: Dot1x Authentication PMIP Client AAA Override Enable
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a AAA override: Dot1x Authentication, default MPC configuration
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.115: [PA] 10:40:f3:84:a2:2a Tunnel-Type 16777229 should be 13 for STA 10:40:f3:84:a2:2a
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.116: [PA] 10:40:f3:84:a2:2a Tunnel-Group-Id 9 is not a valid VLAN ID for STA 10:40:f3:84:a2:2a
*Dot1x_NW_MsgTask_2: Jan 15 13:26:23.116: [PA] 10:40:f3:84:a2:2a Received Session Key from AAA Server for STA 10:40:f3:84:a2:2a.
 

I've sanitised some of the debug output to protect the username but the net result is no IP address assigned to the client and unable to connect to the network.

Would appreciate any guidance as to whether the Wireless Client VLAN's need to be interfaces on the WLC in order to work or whether the likes of Flexconnect could alleviate the L3 boundary?

Thanks in advance.

Kind regards,

Mark

 

 

 

Labels:
0 Helpful
1 Reply 1

Mark Massheder
Level 1
Level 1

‎01-15-2015 09:16 AM

Hi All,

After playing with Flexconnect I managed to get the dynamic vlan assignment working.

Need to create the Flexconnect Group add in the AP's to the gorup and then select the ACL Mapping tab > AAA VLAN-ACL mapping and added in the VLAN of my VLAN that my Tunnel-Group-ID (VLAN ID) had assigned to me.

Client connected and received the correct IP configuration.

Thanks

Mark

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card