Solved: Way to Ignore Dynamic VLAN using WPA2 on IOS AP and ACS?

Kikaida01 · ‎10-23-2007

Hello,

I am trying to setup an IOS AP using 12.3(8)JEB1 to use WPA2 using ACS 4.0(1)Build 44. I am trying to use PEAP with MSCHAPv2.

The problem I am having is that the only way I can get the client to associate, is if I configure the the AP's SSID to be the same VLAN that is stated in the "[081] Tunnel-Private-Group-ID" field of the group that the dynamic user is in.

When I configure the SSID to the VLAN it should be, the client never authenticates, even though the ACS server shows it as a "Passed Authentication".

When I do a "debug radius authentication", I get this message "%DOT11-4-NO_VLAN_ID: Vlan id 1100 from Radius server is not configured for station xxxx.xxxx.xxxx" (MAC address removed).

Is there a way to configure the AP to ignore the "[081] Tunnel-Private-Group-ID" field?

matt.woodling · ‎10-28-2007

Here's what you need. I just figured this out tonight:

aaa group server radius your-AAA-group-name

server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

server your-radius-server#2-IPaddress auth-port 1645 acct-port 1646

authorization reply reject wireless-attreject-list

!

radius-server attribute list wireless-attreject-list

attribute 81

!

aaa authentication login eap_methods group your-AAA-group-name

View solution in original post

matt.woodling · ‎10-28-2007