Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

Pete89 · ‎02-21-2014

Hello,

What we are trying to do:

John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.

We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0

We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.

Here is what we are seeing

1. dynamic vlan assignment is not working -- radius server is set with the attributes

2. RSA authentication works

3. John and Mary are always put into the VLAN where the MGMT interface is

4. I can see that attributes are making it back to the WLC by sniffing

We are stuck at this point. Any help would be much appreciated,

P.

Stephen Rodriguez · ‎02-21-2014

what attribute is being sent back for 81? the VLAN ID, or the interface name?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Pete89 · ‎02-21-2014

Here is a little more background:

We have created a dynamic interface in VLAN 157
Wireless LAN has been assigned to MGMT interface which is on VLAN 35
This is a VWLC ver 7.4.100
AP is attached to VWLC (only FlexConnect mode is supported)
RADIUS Server has been configured
Users are getting assigned to VLAN 35

Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes

I dont see any atttributes in the capture when RSA sends to the VWLC
I see attributes in the capture when RSA send to my local RADIUS Client (My PC)

And to answer your question we have sending a VLAN ID (157)

Pete89 · ‎02-24-2014

Just an update for this.

It seems any RADIUS server we try this with, we get the same result:

We dont see the right attributes in the Accept-Accept packet from the RADIUS server. The attibutes we see are:

AVP: l=121 t=Class(25): 53425232434cede1d29dcc9cbe83afc01180640180048199...

AVP: l=6 t=EAP-Message(79) Last Segment[1]

AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=18 t=Message-Authenticator(80): 4e3595aa45b1c0fab2ebd4ae8db98a2e

So now I am starting to think it might be the way the controller is negociating the request. Like I said, we get the same result when we use RSA or Free RADIUS

Stephen Rodriguez · ‎02-27-2014

When doing Dynamic VLAN Assignemt with FlexConnect, you have to create a VLAN mapping at the AP, and allow AAA Override in the WLAN. Take a look at this guide that Vinay posted.

https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/tags/flexconnect_vlan_override

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered