Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1545
Views
0
Helpful
11
Replies

vlan assignment using radius for aironet 1200

g.peart
Level 1
Level 1

‎02-18-2005 06:14 PM - edited ‎07-04-2021 10:28 AM

using Funk radius server and MD-5 challenge I can

assign users to a vlan on my switches. But when I try

to assign vlans to users on AP via the radius server

it fails. All SSID are mapped to vlans and encryption

for all is WPA/TKIP. The authentication still works

and I've sucessfully used eap-ttls,PEAP,EAP-TTLS

all against a microsoft AD.

Anyone using radius to assign vlans or SSID with success ?

Also the users must enter an SSID before they can connect to AP, would this stop vlan assignment ?

IOS ver 12.3(2)JA,

Labels:
0 Helpful
11 Replies 11

m-niemi
Level 1
Level 1

‎02-19-2005 04:56 AM

Cisco Wireless Virtual LAN Deployment Guide says that there are 3 IETF Attributes that should be enabled for assigning ssid/vlan for user.

Also there are problems with 12.3(2)JA and at least for me 12.3(2)JA2 is working better.

http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/prod_technical_reference09186a00801444a1.html

0 Helpful

g.peart
Level 1
Level 1
In response to m-niemi

‎02-22-2005 05:34 AM

I upgraded to 12.3(2)JA but no luck,I can see

from the logs that AP is looking for vlan/ssid attributes. I know form my 2950 I needed the line

"aaa authorization network default group radius"

for md5 and have same line in AP config.

Does anyone have dynamic assignment via radius/EAP

for SSID/VLAN definetely working or should I give up ?

0 Helpful

dhickey
Level 1
Level 1
In response to g.peart

‎02-28-2005 12:03 PM

I have this working with Cisco Secure ACS. At one time I also had it working with Microsoft IAS on windows 2000 server.

When my students login, they are assigned a specific VLAN through radius. When Fac/staff login, they are assigned a different VLAN through Radius.

I have not used Funk, but I do know it works with ACS and IAS.

Here is an older link concerning vlans and wireless. It also includes the correct radius attributes that need to be used...they are -

IETF 64 (Tunnel Type)—Set this to VLAN

IETF 65 (Tunnel Medium Type)—Set this to 802

IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID

This link is kinda old since it uses the Vxworks GUI, but has some good info..

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/ap120scg/bkscgch4.htm

Here is another link for the latest software...

http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080341d34.html

If the links don't work, I did a search on Cisco.com for vlans and wireless..

Thanks

Don Hickey

0 Helpful

aarons
Level 1
Level 1
In response to dhickey

‎03-11-2005 07:21 PM

Don,

You say you have this working with IAS? Did you use cisco-avpair attributes? Or the standard ones with microsoft. Im thinking my setup isnt working because the cisco switch doesnt understand the attributes being sent by the IAS.

Cheers in advance.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to aarons

‎03-12-2005 08:33 AM

What attributes, and what specific values are you sending to the AP?

0 Helpful

aarons
Level 1
Level 1
In response to jafrazie

‎03-12-2005 08:39 AM

Im in a wired situation.. not sending any attributes to an AP. Im sending attributes to a 3560 cisco switch. But the principles are kind of the same.

The attributes i am using are

cisco-avpair = "tunnel-type(#64)=VLAN(13)",

cisco-avpair = "tunnel-medium-type(#65)=802 media(6)"

cisco-avpair = "tunnel-private-group-ID(#81)=SALES"

Cheers.

0 Helpful

dhickey
Level 1
Level 1
In response to aarons

‎03-17-2005 05:09 AM

Guys,

I am running ACS, but I took a look at my IAS settings I had running before we purchased ACS..

These are from Windows 2003 Server

Tunnel-Medium-Type - 802

Tunnel-Pvt-Group-ID - 31 <--- Vlan #

Tunnel-Type - VLANS

Tunnel-Tag - 10 <- I can't remember why we needed this, but if you search these archives it is in some of my previous posts (over 1 yr ago).

Framed Protocol - PPP

Service-Type - Framed

I did not use the cisco-av pairs...

These are Radius Standard..

Thanks

Don

0 Helpful

sherry4071
Level 1
Level 1
In response to dhickey

‎06-13-2006 06:09 AM

hi,

what do i have to config the interface in switch which access point connected with? perhaps trunking?

0 Helpful

g.peart
Level 1
Level 1

‎04-01-2005 04:45 PM

thanks for all the input, it seems the problem was with

Funk radius server, since peap/eap-ttls are tunneled

you have to create filters to on the server so that it sends the attributes through the tunnel to the AP.

Everything now works great.

0 Helpful

vramanaiah
Level 1
Level 1
In response to g.peart

‎03-02-2006 01:11 AM

Very interesting to know that Wireless LAN can support dynamic VLAN membership..

Does this mean that one SSID will get mapped to different wired VLAN, based on user authentication..?

I am also interested to know if this is also supported on LWAPP/WlAN CONtroller based deployments? Any success stories there..?

0 Helpful

sherry4071
Level 1
Level 1
In response to vramanaiah

‎06-13-2006 03:50 PM

Hi, the airespace controller does support dynamic VLAN assignment but I don't know how to deploy it,sitll looking for configuration example

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card