Solved: Re: Does Flex Connect mode support Radius Airespace attributes?

Cheng · ‎04-07-2020

Hi Experts,

We are testing flex connect + local switching + AAA override and having trouble in dynamic VLAN.

*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Username entry (EAP-TLS.v_jymeng) created for mobile, length = 253
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Username entry (EAP-TLS.v_jymeng) created in mscb for mobile, length = 253
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Assigned interface 'officewifi-vlan25' from interface group 'hnsty-officewifi-vlan25' for the client
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Found an interface name:'officewifi-vlan25' for interface group name received: hnsty-officewifi-vlan25
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Applying new AAA override for station 88:e9:fe:7f:1a:6e
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Override values for station 88:e9:fe:7f:1a:6e
source: 4, valid bits: 0x200
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1

*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
vlanIfName: 'hnsty-officewifi-vlan25', vlanId:0, aclName: ', ipv6AclName: , avcProfile
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Applying Fabric vnid override for client 88:e9:fe:7f:1a:6e, client->reap 22 ,over bits 0,isover FALSE
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Applying Interface(test-vlan36) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 11

Radius server authorizes the client with an interface-group-name. The client should be put into VLAN 25, but suddenly, it is quarantined in mgmt VLAN 11.

I wonder if flex connect mode supports radius airspace attributes? I have read the configuration guide but didn't find the restriction.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/flexconnect_security.html#ID1821

Cheng · ‎04-17-2020

Sorry for the delayed response.

Flex mode does support airespace radius attributes. But I forgot to config flexconnect template. It is necessary for VLAN Name Override to map vlan name (interface name) to vlan id in the template.

View solution in original post

Flavio Miranda · ‎04-07-2020

Hi

I dont believe this is related to flexconnect but it is easier to verify. You can change your mode to local mode and see if this problem goes away.

Take a look on the WLAN Advanced tab, and make sure "aaa override" is checked.

-If I helped you somehow, please, rate it as useful.-

Haydn Andrews · ‎04-07-2020

Good video on how to do this here https://www.youtube.com/watch?v=l8b8SCdphJo

Details in this guide as well: https://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html#override

Radius attribute needed:

Tunnel-Private-Group-ID=VLANID

Tunnel-Type=VLAN

Tunnel-Medium-Type=802

WLAN Config Required:

AAA override enabled

Flexconnect local switching

AP Config:

Must be in Flexconnect mode, with VLAN Support enabled

Flexconnect Group Config:

Native VLAN defined

AAA VLAN-ACL Mapping with the VLAN you want to override to in it (don't worry about defining the ACLs)

Switch Config:

VLAN must be allowed on the AP trunk port.

Limitations:

A maximum of 16 VLANs can be configured in per-AP (including non-override WLAN VLANs)

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Cheng · ‎04-17-2020

Sorry for the delayed response.

Flex mode does support airespace radius attributes. But I forgot to config flexconnect template. It is necessary for VLAN Name Override to map vlan name (interface name) to vlan id in the template.