Solved: Dynamic VLAN Assignment + NPS

Evan Wheatley · ‎01-24-2012

Hello,

I'm planning a deployment with the following:

5508 WLC running 7.0.222.0

NCS 1.0.2.29

50+ 3502i AP's

Windows 2008 R2 running NPS

EAP-TLS for authentication

The end goal is to have a single SSID and utilize NPS to dynamically assign VLAN's depending on role/group.

I've read several documents that use ACS to complete the dynamic VLAN assignment (inclduing http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml), however in this case ACS is not available.

My question basically is; do I need ACS to apply the VSA for Cisco Airespace, or can this be done solely with the following IETF attributes using Microsoft NPS and AAA override on the WLC?

[64] Tunnel-Type

[65] Tunnel-Medium-Type

[81] Tunnel-Pvt-Group-ID

Any advice would be greatly appreicated!

Thanks

Stephen Rodriguez · ‎01-24-2012

You don't need to use the Airespace VSA, the IEEE standard 64/65/81 will work.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Stephen Rodriguez · ‎01-24-2012

You don't need to use the Airespace VSA, the IEEE standard 64/65/81 will work.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Evan Wheatley · ‎06-15-2012

Just to follow up, I've successfully implemented this and the client is happy with the outcome of the project.

Thanks for your help Steve.

ilyes.belhadjhassine · ‎09-16-2013

Hi,

I did exactly how you guys stated and it still not working.

I have 3vlan in the wlc, do I configure 3 ssid or 1 ? I have multiple vlan.

Please give me some screenshot of the WLC configuration.

Thanks

Stephen Rodriguez · ‎09-16-2013

You only need to configure one SSID, and make sure you have AAA override enabled in the WLAN config.

If you are doing 802.1x and have the NPS configured to return those attributes it should work

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

ilyes.belhadjhassine · ‎09-19-2013

Thanks Steve for your quick response.

I did everything as per your recommendation and it still doesnt work.

Do you mind providing me a remote assistance, do you have Skype?

Or your prefer that I provide you a set of logs, tell me which one and I will do so.

SSID:TT

@IP WLC: 172.20.252.70

NPS: 172.20.1.16

config rule NPS: service-Type: NAS Prompt

Tunnel-Type: VLAN

Tunnel-pvt-group-ID:10

Tunnel-Meduim-Type:802

log WLC:

*radiusTransportThread: Sep 19 12:32:47.841: ****Enter processIncomingMessages: response code=2

*radiusTransportThread: Sep 19 12:32:47.841: ****Enter processRadiusResponse: response code=2

*radiusTransportThread: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Access-Accept received from RADIUS server 172.20.1.16 for mobile 8c:70:5a:1c:8e:20 receiveId = 4

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Processing Access-Accept for mobile 8c:70:5a:1c:8e:20

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Applying new AAA override for station 8c:70:5a:1c:8e:20

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20

source: 4, valid bits: 0x200

qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1

vlanIfName: 'dy-data-ksb1', aclName: ''

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Inserting new RADIUS override into chain for station 8c:70:5a:1c:8e:20

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20

source: 4, valid bits: 0x200

qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1

vlanIfName: 'dy-data-ksb1', aclName: ''

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Applying override policy from source Override Summation:

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20

source: 256, valid bits: 0x200

qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1

vlanIfName: 'dy-data-ksb1', aclName: ''

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Setting re-auth timeout to 1800 seconds, got from WLAN config.

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Station 8c:70:5a:1c:8e:20 setting dot1x reauth timeout = 1800

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Creating a PKC PMKID Cache entry for station 8c:70:5a:1c:8e:20 (RSN 2)

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Adding BSSID 00:1e:be:a7:bf:b6 to PMKID cache for station 8c:70:5a:1c:8e:20

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: New PMKID: (16)

*Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: [0000] 80 36

Stephen Rodriguez · ‎09-19-2013

can you provide the output of

show interface summary

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

ilyes.belhadjhassine · ‎09-20-2013

Hi

Thanks Steve for your quick response.

this is the output of show interface summary also i give you the config of WLAN:

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest

-------------------------------- ---- -------- --------------- ------- ------ -----

ap-manager LAG untagged 172.20.252.71 Static Yes No

dy-data-ksb1 LAG 10 10.55.21.10 Dynamic No No

dy-data-parc LAG 1 10.55.0.2 Dynamic No No

dy-guest-ksb1 LAG 50 10.55.22.10 Dynamic No No

dy-itteam-ksb1 LAG 30 10.55.20.10 Dynamic No No

dy-voice-ksb1 LAG 20 10.55.23.10 Dynamic No No

management LAG untagged 172.20.252.70 Static No No

service-port N/A N/A 172.20.252.101 Static No No

virtual N/A N/A 1.1.1.1 Static No No

dabitgall21 · ‎05-23-2024

Hello everyone

Can somebody help me? I'm part of a new project in my job, we need to provide the IP address by NPS, i have this configuration in the port:

The service is active, we can connect the users by network account but we don't want that the ip addrees be assigned by DHCP server or a local scope. Help pleaseeeeee

Sorry if my english isn't good, i'll try to improve it.