Re: Dynamic VLAN Assignment Via Radius - AireOS and IOS-XE

Scottie_Laforge · ‎10-18-2021

Hi All,

I've got a deployment whereby RBAC is defined by radius policies on ISE in which vlans are dynamically assigned based on the users AD credentials.

In the authorization profiles, I can see that a vlan is added which contributes to the Tunnel-Private-Group ID.

What is the behavior when this vlan does not exist on the wireless controller? In the current AireOS environment, this vlan does not exist yet authentication is being passed and the user is being mapped to the configured vlan in the ap group.

In the 9800 IOS-XE based environment, the same policy set, conditions and authZ profiles were used and the client device does not pass authentication with the controller notifying a VLAN failure.

I had always thought that the VLAN must exist on the WLC in order to pass auth. If not, then access-reject.

SL

Arne Bier · ‎12-15-2021

Hi @Scottie_Laforge

In IOS and IOS-XE you're 100% right that the VLAN must be defined on the switch for the dynamic VLAN assignment to succeed. It also makes sense because dynamic VLAN assignment simply references the existing VLAN - it does not define it.

But in the case of AireOS, I didn't know this would work. Are you saying that you were able to return a VLAN ID that did NOT exist as a Dynamic Interface on the WLC, and the client was successfully switched to the VLAN? In the case of centrally switched WLC, I can't see how this would be true. For Flex Connect I can see how that would be ok, because the WLC does not have those VLANs defined - the client traffic is locally switched to the AP and the AP has a trunk to the switch. The Flexmode AP tags the client traffic which is carried to the local switch (which of course MUST have the VLAN defined)

Rich R · ‎12-21-2021

There's a new feature which aims to provide feature parity on 9800:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/release-notes/rn-17-6-9800.html

Fallback for AAA Overridden VLAN

From Cisco IOS XE Bengaluru 17.6.1 onwards, fallback for AAA-overridden VLAN or VLAN groups is supported, on the policy profile.

In Cisco IOS XE Bengaluru 17.5.1 Release and earlier releases, if there is a network with a single AAA server dictating policies that need to be applied to a client that may roam across different sites (having different policy definitions). If these policies are not defined on the site, the client does not get access to the network. To address this scenario, the Fallback for AAA-overridden VLAN feature is introduced.

The following command is introduced:

aaa-override vlan fallback

For more information, see the chapter WLAN Security. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_wlan_security_9800.html

You didn't say what version you were testing with?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

phaladone.keomisy@outlook.com · ‎11-30-2022

please advise, i got this issue when i require to access with AAA authen in 9800

Rich R · ‎11-30-2022

phaladone.keomisy@outlook.com
What version of software?
Have you done a radioactive trace on that client?
Is it affecting all clients or only that client?
Is your radius working?
Have you checked the radius logs?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs