Re: Radius vlan overriding with both mac filtering and user authentica

Konstantin Kabassanov · ‎06-07-2024

Hi,

On old WISM2 controllers I was able to provide vlan assignment values through radius replies during mac filtering verification step. Then upon successful user authentication, controllers were merging attributes from both queries and were using results for final vlan assignment. Now, on C9800, it seems that after the mac filtering step (controllers still retreive correct vlan values), attributes are reset before user authentication (vlan-id attribute with the right value is still sent in the radius request), so if radius Accept message does not contain Tunnel-Private-Group-Id attribute, user device is attached to the predefnied vlan from tag/policy configuratinos. Is there a command to change this behavior, or is this a bug ? There is a workaround that could be set on radius servers (on freeradius servers for example), but if there is a better solution... Thanks.

Mark Elsen · ‎06-07-2024

- FYI : https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html#toc-hId--989020326
Read the complete section.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Konstantin Kabassanov · ‎06-07-2024

This document does not make any reference to WLAN Mac filtering. It is talking only about vlan assignment on per user basis... Did I miss something?

Radius vlan overriding with both mac filtering and user authentication