04-18-2008 11:05 AM - edited 07-03-2021 03:44 PM
Greetings,
In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
Any input/information would be greatly appreciated.
Joe
Solved! Go to Solution.
05-20-2008 12:46 PM
The setup works fine with MS IAS server. You have to set the RADIUS options (3 of them) that are documented in the similar ACS article of the same ilk. You can have a single SSID, using RADIUS auth, and have Active Directory determine vlan membership based on group.
The RADIUS attribute settings are
Tunnel-Type = Vlan
Tunnel-Pvt-Group-ID = vlanid
Tunnel-Medium-Type = 802
I also like to set
Ignore-User-Dialin-Properties = True
You need to create some Policies in IAS to match your windows groups, and set the correct vlan id. A seperate IAS policy per vlan.
Set the RADIUS attributes per IAS policy and per AD group or however you plan on determining membership.
If you want to use RADIUS for administration, you also have to define a seperate policy that sets RADIUS attribute Service-Type = Administrative
Jim
04-19-2008 09:03 AM
WLC VSAs and MS IAS
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008082d5b5.shtml
Enjoy!
04-21-2008 05:44 AM
Thx for the article. I will be configuring in about two weeks so this will definitely come in handy.
One question, the article states that the configuration is a "single SSID" and that settings are applied based on user credentials (which is what I am looking for). I am guessing that I could take this one step further and use two (or more) SSIDs but I am assuming that each individual SSID would have to be already configured on the clients. When the user logs in then the policy would determine which local SSID the client would connect to.
Am I correct in thinking this way? Obviously I am going to have to do some testing, but I am looking for any "gotchas" or "pitfalls".
Thx again
Joe
05-20-2008 12:46 PM
The setup works fine with MS IAS server. You have to set the RADIUS options (3 of them) that are documented in the similar ACS article of the same ilk. You can have a single SSID, using RADIUS auth, and have Active Directory determine vlan membership based on group.
The RADIUS attribute settings are
Tunnel-Type = Vlan
Tunnel-Pvt-Group-ID = vlanid
Tunnel-Medium-Type = 802
I also like to set
Ignore-User-Dialin-Properties = True
You need to create some Policies in IAS to match your windows groups, and set the correct vlan id. A seperate IAS policy per vlan.
Set the RADIUS attributes per IAS policy and per AD group or however you plan on determining membership.
If you want to use RADIUS for administration, you also have to define a seperate policy that sets RADIUS attribute Service-Type = Administrative
Jim
05-21-2008 04:41 AM
After messing around with it last week I was able to get it working. Everything you listed in your post is exactly what I ended up doing to get things working. Too bad I didn't have this two weeks ago ;)
Thx Jim for post though.
Joe
03-31-2009 11:08 AM
I'm wanting to build the same scenario, however I'm having issues with the users being connected to the right vlan, they are only able to access the vlan that the WLAN is setup on in the WLC configuration. I have AAA override on, and they are able to authenticate, just not switching to the associated VLAN under the IAS policy. Could you post some of your configuration for comparison?
Thanks
Shaun
03-31-2009 11:30 AM
Shaun -
From the WLC perspective here is what I had to do:
1. Check the "Allow AAA Override" for each WLAN Profile using Dynamic-VLANs.
2. For each WLAN Profile using Dynamic VLAN assignment I had to set the interface to the management interface of the WLC. The management interface's IP is what is in MS IAS server as the RADUS client.
3. Make sure that the none of the other interfaces on the WLC are in the same VLAN as the MS IAS server. If they are, the WLC will attempt to use this interface to contact the MS IAS server rather than the management interface and the IAS server will reject the request.
Hope this information helps. If you want, I could gather some screenshots of how I configured the WLC/IAS server.
Let me know.
Joe
03-31-2009 12:12 PM
Joe - thanks for the response.
I've made the suggested modifications, I did have the WLC service port on the same VLAN as IAS, I've switched those to different VLANs(I noticed that issue when I original put the Management IP for the IAS client - as they were not talking).
I've switched all the WLANs to the Management Interface, the users still authenticate fine without issues, however they're not being switched to the correct VLAN. The clients are still showing IPs from the Management Interface.
Here are the options I have configured in IAS - maybe I'm missing something.
Ignore-User-Dialin-Properties = Ture
Service-Type = Login
Tunnel-Medium-Type = 802 (inlcude all 802 media plus Ethernet canonical format)
Tunnel-Pvt-Group-ID= 200
Tunnel-Type - virtual LANs (VLAN)
And from the WLC Interface configuration:
VLAN Identifier = 200
IP Address = 10.100.200.250
Netmask = 255.255.255.0
Gateway = 10.100.200.1
Layer 2:
Layer 2 Security: WPA+WPA2
WPA2 Policy = True
WPA2 Encryption = AES TKIP
PSK
ASCII
Layer 3:
Layer 3 Security: none
Web Policy = True
Authentication = True
Advanced:
Allow AAA Override Enabled
Thoughts?
Thanks
Shaun
04-01-2009 04:12 AM
Shaun -
Under the security settings for the particular WLAN profile, do you have the AAA server specified? If you have configured it in the WLC already it should show up in the drop-down list.
Joe
04-01-2009 09:03 AM
Joe - Yes, it has our IAS server listed and it's listed at the top for Authentication priority.
-Shaun
04-07-2009 08:31 AM
Shaun -
I have attached a screenshot of the section of my RA Policy for Dynamic VLAN assignment. From what I gather mine is a bit different from yours since I am using WPA2-Enterprise (MS-PEAP). My RA policy has two conditions:
1. the RADIUS client must originate from the WLC's MGMT IP address
2. The wireless laptop/user must each be a member of two specific Windows security groups (one containnig the computer account and one containing the user account)
My authentication is MS-CHAPv2 using PEAP and server certificate so that the server can authenticate the user/computer.
I can attach additional pics to show the rest of the RA policy.
Let me know if this helps.
Joe
04-07-2009 08:46 AM
Your RA Policy has identical values, just like mine, I did the AAA debugging on the WLC and it shows AAA settings to be "override". However the changes are not happening. I'm running Software Version 5.2.178.0 on the WLC. Maybe it has to do with the version??
04-07-2009 08:57 AM
Shaun -
It could be. I am running version 4.2.176 on my WLC. We have not made the "leap" to version 5.x yet as I have heard there have been multiple "issues" with version 5.x. In fact, a TAC representative told me to stay at 4.2.x unless there was a specific feature/functionality that only version 5.x could provide. At face value, the configuration settings you posted prior looked fine.
Let me know if you need any additional info.
Joe
04-08-2009 07:50 AM
I have tested this IAS setup on build
AS_5.0.148.0_CSCsm98250.aes
And have no problems with the IAS/Radius dynamic vlan assignment using AD groups.
Hope this helps.
Jim
04-08-2009 07:54 AM
Jim - thanks for the information, could I see how you have your switch ports setup for the WLC and APs? Maybe I'm missing something on mine.
Thanks,
Shaun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide