Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2172
Views
15
Helpful
6
Replies

Dynamic Vlan on Mobility Express

mmacdonald70
Level 1
Level 1

‎03-23-2021 08:14 PM - edited ‎07-05-2021 01:01 PM

I'm trying to get Dynamic Vlans working with a Freeradius server and Mobility Express.

I created a new Wlan, enabled trunk and 'Allow AAA override'.  I also added the vlans to the flexconfig with 

config flexconnect group default-flexgroup vlan add <vlan-id>

My config is now:

Cisco AP Identifier.............................. 0
Cisco AP Name.................................... APF4DB-E6FF-FCE2
Country code..................................... CA - Canada
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. CA - Canada
AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A
Switch Port Number .............................. 1
MAC Address...................................... f4:db:e6:ff:fc:e2
IP Address Configuration......................... DHCP
IP Address....................................... x.x.x.x
IP NetMask....................................... x.x.x.x
Gateway IP Addr.................................. x.x.x.x
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
DHCP Release Override............................ Disabled
Telnet State..................................... Globally Disabled
Ssh State........................................ Specifically Enabled
NSI Ports State.................................. Globally Enabled
Virtual IP Address............................... Not Configured
Cisco AP Type.................................... MobilityExpress Capable AP
Cisco Internal AP................................ Yes
Cisco AP Location................................ default location
Cisco AP Floor Label............................. 0
Cisco AP Group Name.............................. default-group
Primary Cisco Switch Name........................ macwifi
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... FlexConnect
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Rogue Detection ................................. Enabled
AP Vlan Trunking ................................ Enabled (Inherited)
AP Native Vlan ID: .............................. 1 (Inherited)
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
KPI not configured ..............................
Logging syslog facility ......................... kern
S/W Version .................................... 8.10.142.0
Boot Version ................................... 1.1.2.4
Mini IOS Version ................................ 0.0.0.0
Stats Reporting Period .......................... 30
Stats Collection Mode ........................... normal
Radio Core Mode ................................. Normal
Slub Debug Mode ................................. Disabled
Static Ip Failover .............................. Enabled
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. PoE/Medium Power (25.5 W)
Number Of Slots.................................. 3
AP Model......................................... AIR-AP4800-A-K9
AP Image......................................... AP3G3-K9W8-M
IOS Version...................................... 8.10.142.0
Reset Button..................................... Enabled
AP Serial Number................................. FJC2306M2JU
AP Certificate Type.............................. Manufacture Installed
AP LAG Configuration Status ..................... Disabled
LAG Support for AP .............................. Yes
AP multicast mode :.............................. Disabled
Native Vlan Inheritance: ........................ Group
FlexConnect Vlan mode :.......................... Enabled
Native ID :..................................... 1
WLAN 1 :........................................ 100 (Group-Specific)
WLAN 2 :........................................ 100 (Group-Specific)
WLAN 3 :........................................ 10 (Group-Specific)
WLAN 4 :........................................ 100 (Group-Specific)
WLAN 5 :........................................ 100 (Group-Specific)
FlexConnect VLAN ACL Mappings
VLAN with least priority :....................... 103
FlexConnect Group................................ default-flexgroup
Group VLAN ACL Mappings

Vlan :........................................... 101
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 102
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 103
Ingress ACL :................................... None
Egress ACL :.................................... None

Group VLAN Name to Id Mappings
AP-Specific FlexConnect Policy ACLs :
L2Acl Configuration ............................. Not Available

FlexConnect Local-Split ACLs :
WLAN ID PROFILE NAME ACL TYPE
------- -------------------------------- --------------------------------- -------

Flexconnect Central-Dhcp Values :

WLAN ID PROFILE NAME Central-Dhcp DNS Override Nat-Pat Type
------- --------------------------------- -------------- -------------- --------- ------
2 test False False False Wlan

Flex AVC visibility Configurations..............

WlanId PROFILE NAME Inherit-level Visibility Flex Avc-profile
------- -------------------------------- ------------- ---------- --------------------------------

FlexConnect Backup Auth Radius Servers :
Primary Radius Server........................... Disabled
Secondary Radius Server......................... Disabled
FlexConnect Radius/Local Auth Parameters :
Radius Retransmit Count......................... 3 (default)
Active Radius Timeout........................... 5 (default)

AP User Mode................................... AUTOMATIC
AP User Name..................................... admin
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
AP Dot1x EAP Method.............................. EAP-FAST
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 2 days, 06 h 42 m 21 s
AP LWAPP Up Time................................. 2 days, 06 h 39 m 12 s
Join Date and Time............................... Sun Mar 21 16:28:54 2021
Join Taken Time.................................. 0 days, 00 h 03 m 08 s
Unencrypted Data Keep Alive ..................... Enable
AP broken antenna detection - Status ............ Not Supported
Memory Type...................................... DDR4
Memory Size...................................... 48 KBytes
CPU Type......................................... ARMv7 Processor rev 1 (v7l)

Flash Type....................................... Onboard Flash
Flash Size....................................... 48 KBytes
GPS Present...................................... NO
Ethernet Vlan Tag................................ Disabled
Ethernet Port Duplex............................. Full
Ethernet Port Speed.............................. Auto
Fabric support................................... Yes
AP Link Latency.................................. Disabled
Rogue Detection.................................. Enabled
AP TCP MSS Adjust................................ Enabled
AP TCP MSS Size.................................. 1250
AP CAPWAP Control Port........................... 5256
AP CAPWAP Data Port.............................. 5256
AP WPA3 Capable.................................. Yes
Beacons Tx from All supported Antennas........... Enabled
Hotspot Venue Group.............................. Unspecified
Hotspot Venue Type............................... Unspecified
DNS server IP ............................. Not Available
Time Zone Config :
Time Zone State................................. Disabled
Time Zone Offset Hour........................... 00
Time Zone Offset Minute......................... 00
NTP server status :
NTP Enable...................................... Internal AP: No NTP server configured
Encryption SPIs (Unique Identifiers)
Hyperlocation................................... None


ApVapId to Profile Name Mappings:

APVAPID WLANID PROFILE NAME SLOT-A/B
------- ------ ------------------------------ --------
2 2 test 1/1

External Module:

USB Module Type.................................. USB Module
USB Module Status................................ Enabled
USB Module Operational State..................... Not Detected: Not enough power resource

 

My radius server seems to be sending the proper attributes:

 

Sent Access-Request Id 200 from 0.0.0.0:59161 to 127.0.0.1:1812 length 74
User-Name = "test"
User-Password = "xxxxxxx"
NAS-IP-Address = x.x.x.x
NAS-Port = 1819
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 200 from 127.0.0.1:1812 to 0.0.0.0:0 length 37
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "101"

 

But when I connect, I get vlan 100 instead of vlan 101.  What am I missing?

0 Helpful
6 Replies 6

pieterh
VIP
VIP

‎03-24-2021 04:10 AM

does vlan 101 exists on the connected switchport ?

mmacdonald70
Level 1
Level 1
In response to pieterh

‎03-24-2021 04:37 AM

Yes.  If I manually change the vlan on the WLAN to 101, I connect on Vlan 101.  I just can't seem to make the radius attributes work.

0 Helpful

Rich R
VIP
VIP
In response to mmacdonald70

‎03-24-2021 09:13 AM

Seems like the feature is supported: https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html#_Toc64463744 so it should work.

Collect packet captures and debugs on the WLC to try to see what's actually being sent and received and how the ME WLC is handling it.

Might also want to test against ISE and compare the pcaps to make sure you're sending all the right parameters from FR.

If all else fails - TAC case.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

pieterh
VIP
VIP
In response to mmacdonald70

‎03-25-2021 12:36 AM

check output from the command below (with your AP name of course): 

show ap config general AP00A3.8EFA.DC16

(from : Configure Flexconnect VLAN Mappings on Mobility Express Controllers - Cisco)

0 Helpful

mmacdonald70
Level 1
Level 1
In response to pieterh

‎03-25-2021 05:01 AM

Thanks.  Not sure what I'm looking for though.

(Cisco Controller) >show ap config general APF4DB-E6FF-FCE2

Cisco AP Identifier.............................. 0
Cisco AP Name.................................... APF4DB-E6FF-FCE2
Country code..................................... CA - Canada
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. CA - Canada
AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A
Switch Port Number .............................. 1
MAC Address...................................... f4:db:e6:ff:fc:e2
IP Address Configuration......................... DHCP
IP Address....................................... x.x.x.x
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. x.x.x.x
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
DHCP Release Override............................ Disabled
Telnet State..................................... Globally Disabled
Ssh State........................................ Specifically Enabled
NSI Ports State.................................. Globally Enabled
Virtual IP Address............................... Not Configured
Cisco AP Type.................................... MobilityExpress Capable AP
Cisco Internal AP................................ Yes
Cisco AP Location................................ default location
Cisco AP Floor Label............................. 0
Cisco AP Group Name.............................. default-group
Primary Cisco Switch Name........................ macwifi
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... FlexConnect
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Rogue Detection ................................. Enabled
AP Vlan Trunking ................................ Enabled (Inherited)
AP Native Vlan ID: .............................. 1 (Inherited)
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
KPI not configured ..............................
Logging syslog facility ......................... kern
S/W Version .................................... 8.10.142.0
Boot Version ................................... 1.1.2.4
Mini IOS Version ................................ 0.0.0.0
Stats Reporting Period .......................... 30
Stats Collection Mode ........................... normal
Radio Core Mode ................................. Normal
Slub Debug Mode ................................. Disabled
Static Ip Failover .............................. Enabled
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. PoE/Medium Power (25.5 W)
Number Of Slots.................................. 3
AP Model......................................... AIR-AP4800-A-K9
AP Image......................................... AP3G3-K9W8-M
IOS Version...................................... 8.10.142.0
Reset Button..................................... Enabled
AP Serial Number................................. FJC2306M2JU
AP Certificate Type.............................. Manufacture Installed
AP LAG Configuration Status ..................... Disabled
LAG Support for AP .............................. Yes
AP multicast mode :.............................. Disabled
Native Vlan Inheritance: ........................ Group
FlexConnect Vlan mode :.......................... Enabled
Native ID :..................................... 1
WLAN 1 :........................................ 100 (Group-Specific)
WLAN 2 :........................................ 100 (Group-Specific)
WLAN 3 :........................................ 10 (Group-Specific)
WLAN 4 :........................................ 100 (Group-Specific)
WLAN 5 :........................................ 100 (Group-Specific)
FlexConnect VLAN ACL Mappings
VLAN with least priority :....................... 103
FlexConnect Group................................ default-flexgroup
Group VLAN ACL Mappings

Vlan :........................................... 101
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 102
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 103
Ingress ACL :................................... None
Egress ACL :.................................... None

Group VLAN Name to Id Mappings
AP-Specific FlexConnect Policy ACLs :
L2Acl Configuration ............................. Not Available

FlexConnect Local-Split ACLs :
WLAN ID PROFILE NAME ACL TYPE
------- -------------------------------- --------------------------------- -------

Flexconnect Central-Dhcp Values :

WLAN ID PROFILE NAME Central-Dhcp DNS Override Nat-Pat Type
------- --------------------------------- -------------- -------------- --------- ------
2 test False False False Wlan

Flex AVC visibility Configurations..............

WlanId PROFILE NAME Inherit-level Visibility Flex Avc-profile
------- -------------------------------- ------------- ---------- --------------------------------

FlexConnect Backup Auth Radius Servers :
Primary Radius Server........................... Disabled
Secondary Radius Server......................... Disabled
FlexConnect Radius/Local Auth Parameters :
Radius Retransmit Count......................... 3 (default)
Active Radius Timeout........................... 5 (default)

AP User Mode................................... AUTOMATIC
AP User Name..................................... admin
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
AP Dot1x EAP Method.............................. EAP-FAST
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 3 days, 15 h 26 m 44 s
AP LWAPP Up Time................................. 3 days, 15 h 23 m 35 s
Join Date and Time............................... Sun Mar 21 16:28:54 2021
Join Taken Time.................................. 0 days, 00 h 03 m 08 s
Unencrypted Data Keep Alive ..................... Enable
AP broken antenna detection - Status ............ Not Supported
Memory Type...................................... DDR4
Memory Size...................................... 48 KBytes
CPU Type......................................... ARMv7 Processor rev 1 (v7l)

Flash Type....................................... Onboard Flash
Flash Size....................................... 48 KBytes
GPS Present...................................... NO
Ethernet Vlan Tag................................ Disabled
Ethernet Port Duplex............................. Full
Ethernet Port Speed.............................. Auto
Fabric support................................... Yes
AP Link Latency.................................. Disabled
Rogue Detection.................................. Enabled
AP TCP MSS Adjust................................ Enabled
AP TCP MSS Size.................................. 1250
AP CAPWAP Control Port........................... 5256
AP CAPWAP Data Port.............................. 5256
AP WPA3 Capable.................................. Yes
Beacons Tx from All supported Antennas........... Enabled
Hotspot Venue Group.............................. Unspecified
Hotspot Venue Type............................... Unspecified
DNS server IP ............................. Not Available
Time Zone Config :
Time Zone State................................. Disabled
Time Zone Offset Hour........................... 00

Time Zone Offset Minute......................... 00
NTP server status :
NTP Enable...................................... Internal AP: No NTP server configured
Encryption SPIs (Unique Identifiers)
Hyperlocation................................... None


ApVapId to Profile Name Mappings:

APVAPID WLANID PROFILE NAME SLOT-A/B
------- ------ ------------------------------ --------
2 2 test 1/1

External Module:

USB Module Type.................................. USB Module
USB Module Status................................ Enabled
USB Module Operational State..................... Not Detected: Not enough power resource

Service SubService CMX Server
------------ ---------------- ---------------

 

(Cisco Controller) >

0 Helpful

pieterh
VIP
VIP
In response to mmacdonald70

‎03-25-2021 05:46 AM

you need change this one: 

Ethernet Vlan Tag................................ Disabled

 

Step 1. You first need to configure VLAN tagging support on the AP. This can be done with the command config flexconnect group group_name vlan enable.

For ex:
(Mobility_Express) >config flexconnect group default-flexgroup vlan enable

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card