Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
3
Replies

Does Flex Connect mode support Radius Airespace attributes?

Go to solution
Cheng
Cisco Employee
Cisco Employee

‎04-07-2020 06:19 AM - edited ‎07-05-2021 11:55 AM

Hi Experts,

 

We are testing flex connect + local switching + AAA override and having trouble in dynamic VLAN.

 

*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Username entry (EAP-TLS.v_jymeng) created for mobile, length = 253
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Username entry (EAP-TLS.v_jymeng) created in mscb for mobile, length = 253
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Assigned interface 'officewifi-vlan25' from interface group 'hnsty-officewifi-vlan25' for the client
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Found an interface name:'officewifi-vlan25' for interface group name received: hnsty-officewifi-vlan25
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Applying new AAA override for station 88:e9:fe:7f:1a:6e
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Override values for station 88:e9:fe:7f:1a:6e
                                                                                                                source: 4, valid bits: 0x200
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1

*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
                                                                                                                                                vlanIfName: 'hnsty-officewifi-vlan25', vlanId:0, aclName: ', ipv6AclName: , avcProfile
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e  Applying Fabric vnid override for client 88:e9:fe:7f:1a:6e, client->reap 22 ,over bits 0,isover FALSE
*Dot1x_NW_MsgTask_6: Apr 03 01:38:55.669: 88:e9:fe:7f:1a:6e Applying Interface(test-vlan36) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 11

 

Radius server authorizes the client with an interface-group-name. The client should be put into VLAN 25, but suddenly, it is quarantined in mgmt VLAN 11.

 

I wonder if flex connect mode supports radius airspace attributes? I have read the configuration guide but didn't find the restriction.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/flexconnect_security.html#ID1821

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cheng
Cisco Employee
Cisco Employee

‎04-17-2020 05:14 AM

Sorry for the delayed response.

 

Flex mode does support airespace radius attributes. But I forgot to config flexconnect template. It is necessary for VLAN Name Override to map vlan name (interface name) to vlan id in the template.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Flavio Miranda
VIP
VIP

‎04-07-2020 06:44 AM

Hi

 I dont believe this is related to flexconnect but it is easier to verify. You can change your mode to local mode and see if this problem goes away. 

 Take a look on the WLAN Advanced tab, and make sure "aaa override" is checked. 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
Haydn Andrews
VIP Alumni
VIP Alumni

‎04-07-2020 03:36 PM

Good video on how to do this here https://www.youtube.com/watch?v=l8b8SCdphJo 

Details in this guide as well: https://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html#override

 

Radius attribute needed:

Tunnel-Private-Group-ID=VLANID

Tunnel-Type=VLAN

Tunnel-Medium-Type=802

 

WLAN Config Required:

AAA override enabled

Flexconnect local switching

 

AP Config:

Must be in Flexconnect mode, with VLAN Support enabled

 

Flexconnect Group Config:

Native VLAN defined

AAA VLAN-ACL Mapping with the VLAN you want to override to in it (don't worry about defining the ACLs)

 

Switch Config:

VLAN must be allowed on the AP trunk port.

 

Limitations:

A maximum of 16 VLANs can be configured in per-AP (including non-override WLAN VLANs)

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

Go to solution
Cheng
Cisco Employee
Cisco Employee

‎04-17-2020 05:14 AM

Sorry for the delayed response.

 

Flex mode does support airespace radius attributes. But I forgot to config flexconnect template. It is necessary for VLAN Name Override to map vlan name (interface name) to vlan id in the template.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card