Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1855
Views
5
Helpful
4
Replies

Dynamic VLAN Assignment Via Radius - AireOS and IOS-XE

Scottie_Laforge
Beginner
Beginner

‎10-18-2021 05:10 AM

Hi All,

 

I've got a deployment whereby RBAC is defined by radius policies on ISE in which vlans are dynamically assigned based on the users AD credentials. 

 

In the authorization profiles, I can see that a vlan is added which contributes to the  Tunnel-Private-Group ID. 

 

What is the behavior when this vlan does not exist on the wireless controller? In the current AireOS environment, this vlan does not exist yet authentication is being passed and the user is being mapped to the configured vlan in the ap group.

 

In the 9800 IOS-XE based environment, the same policy set, conditions and authZ profiles were used and the client device does not pass authentication with the controller notifying a VLAN failure.

 

I had always thought that the VLAN must exist on the WLC in order to pass auth. If not, then access-reject.

 

SL

4 Replies 4

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

‎12-15-2021 01:42 PM

Hi @Scottie_Laforge 

 

In IOS and IOS-XE you're 100% right that the VLAN must be defined on the switch for the dynamic VLAN assignment to succeed. It also makes sense because dynamic VLAN assignment simply references the existing VLAN - it does not define it.

But in the case of AireOS, I didn't know this would work. Are you saying that you were able to return a VLAN ID that did NOT exist as a Dynamic Interface on the WLC, and the client was successfully switched to the VLAN? In the case of centrally switched WLC, I can't see how this would be true. For Flex Connect I can see how that would be ok, because the WLC does not have those VLANs defined - the client traffic is locally switched to the AP and the AP has a trunk to the switch. The Flexmode AP tags the client traffic which is carried to the local switch (which of course MUST have the VLAN defined)

 

 

0 Helpful

Rich R
VIP Advisor VIP Advisor
VIP Advisor

‎12-21-2021 07:32 AM - edited ‎12-21-2021 07:34 AM

There's a new feature which aims to provide feature parity on 9800:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/release-notes/rn-17-6-9800.html

Fallback for AAA Overridden VLAN

From Cisco IOS XE Bengaluru 17.6.1 onwards, fallback for AAA-overridden VLAN or VLAN groups is supported, on the policy profile.

In Cisco IOS XE Bengaluru 17.5.1 Release and earlier releases, if there is a network with a single AAA server dictating policies that need to be applied to a client that may roam across different sites (having different policy definitions). If these policies are not defined on the site, the client does not get access to the network. To address this scenario, the Fallback for AAA-overridden VLAN feature is introduced.

The following command is introduced:

aaa-override vlan fallback

For more information, see the chapter WLAN Security. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_wlan_security_9800.html

 

You didn't say what version you were testing with?

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

phaladone.keomisy@outlook.com
Beginner
Beginner
In response to Rich R

‎11-30-2022 12:16 AM

phaladonekeomisyoutlookcom_1-1669796132308.png

please advise, i got this issue when i require to access with AAA authen in 9800

0 Helpful

Rich R
VIP Advisor VIP Advisor
VIP Advisor

‎11-30-2022 02:46 AM

phaladone.keomisy@outlook.com 
What version of software?
Have you done a radioactive trace on that client?
Is it affecting all clients or only that client?
Is your radius working?
Have you checked the radius logs?

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents