Radius vlan overriding with both mac filtering and user authentication

Konstantin Kabassanov · ‎06-07-2024

Hi,

On old WISM2 controllers I was able to provide vlan assignment values through radius replies during mac filtering verification step. Then upon successful user authentication, controllers were merging attributes from both queries and were using results for final vlan assignment. Now, on C9800, it seems that after the mac filtering step (controllers still retreive correct vlan values), attributes are reset before user authentication (vlan-id attribute with the right value is still sent in the radius request), so if radius Accept message does not contain Tunnel-Private-Group-Id attribute, user device is attached to the predefnied vlan from tag/policy configuratinos. Is there a command to change this behavior, or is this a bug ? There is a workaround that could be set on radius servers (on freeradius servers for example), but if there is a better solution... Thanks.

marce1000 · ‎06-07-2024

- FYI : https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html#toc-hId--989020326
Read the complete section.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Konstantin Kabassanov · ‎06-07-2024

This document does not make any reference to WLAN Mac filtering. It is talking only about vlan assignment on per user basis... Did I miss something?