Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
4
Replies

Wireless Dynamic VLAN Assignment

rossirj
Level 1
Level 1

‎06-25-2003 06:22 AM - edited ‎07-04-2021 08:49 AM

Has anyone sucessfully implemented Dynamic VLAN assigment. I have not been sucessful. I am using at IOS Based 1200 with ACS 3.2. I am using PEAP as the authentication mechanism and I have tried both SSID assignment and VLAN assignment VIA RADIUS and neither will work. With SSID assignment I get caught in an authenticate/deauthenticate loop. With VLAN assignment it seems like the AP is just ignoring the keys and leaves me in the SSID/VLAN that I initially associate with. I have looked at the Wireless Virtual LAN Deployment guide and cannot find anything different than I am already doing.

Labels:
0 Helpful
4 Replies 4

hadbou
Level 5
Level 5

‎07-01-2003 08:21 AM

I don't think dynamic VLAN feature is supported yet, did it work for you??

0 Helpful

svaltel
Level 1
Level 1
In response to hadbou

‎07-11-2003 06:59 AM

Yes, it's working for me... I used Dynamic VLAN features on my network

In fact in this example, the VLAN 100 is used for the RF Traffic, the VLAN 150 is used for a test access and VLAN 200 is used for the management.

The VLAN 200 is only reachable from the Ethernet Link.

See below one config based ont this :

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec show-timezone

service password-encryption

!

hostname AP-01-1200-CEL1

!

logging buffered informational

logging console informational

aaa new-model

!

!

aaa group server radius rad_eap

server 10.0.0.2 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

server 10.0.0.2 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

enable secret 5 XXXXXXXXXXXXXXXXXXXXX

!

username svaltel privilege 15 password 7 XXXXXXXXXXXXXXXXXXXX

clock timezone B 2

ip subnet-zero

no ip domain lookup

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip route-cache

!

encryption vlan 100 mode ciphers tkip wep128

!

broadcast-key vlan 100 change 3600

!

encryption vlan 150 mode ciphers tkip wep128

!

broadcast-key vlan 150 change 3600

!

ssid RFCLOE

vlan 100

authentication network-eap eap_methods

accounting acct_methods

infrastructure-ssid optional

!

ssid TEST

vlan 150

authentication network-eap eap_methods

accounting acct_methods

infrastructure-ssid optional

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2339

channel 2447

fragment-threshold 2338

station-role root

infrastructure-client

!

interface Dot11Radio0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.150

encapsulation dot1Q 150

no ip route-cache

bridge-group 150

bridge-group 150 subscriber-loop-control

bridge-group 150 block-unknown-source

no bridge-group 150 source-learning

no bridge-group 150 unicast-flooding

bridge-group 150 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.150

encapsulation dot1Q 150 native

no ip route-cache

bridge-group 150

no bridge-group 150 source-learning

bridge-group 150 spanning-disabled

!

interface FastEthernet0.200

encapsulation dot1Q 200

ip address 10.0.0.100 255.0.0.0

no ip route-cache

bridge-group 200

no bridge-group 200 source-learning

bridge-group 200 spanning-disabled

!

interface BVI1

no ip address

no ip route-cache

!

ip default-gateway 10.0.0.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip radius source-interface FastEthernet0.200

snmp-server community RFCLOE RO

snmp-server enable traps tty

radius-server local

group VLAN100

vlan 100

!

user sebastien.valtel nthash 7 XXXXXXXXXXXXXXXXXXXXXX group VLAN100

!

radius-server host 10.0.0.2 auth-port 1645 acct-port 1646 key 7 XXXXXXXXX

radius-server retransmit 3

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

radius-server vsa send authentication

bridge 1 route ip

!

banner motd ^CXXXXXXXXXXXXXXXXX^C

!

line con 0

line vty 5 15

session-timeout 60

!

end

0 Helpful

svaltel
Level 1
Level 1
In response to svaltel

‎07-11-2003 07:01 AM

ouppsss.... sorry ... a little mistake :

replace theses lines =

interface FastEthernet0.150

encapsulation dot1Q 150 native

By =

interface FastEthernet0.150

encapsulation dot1Q 150

0 Helpful

jrodri52000
Level 1
Level 1
In response to svaltel

‎09-01-2003 12:21 AM

WOW..I have been trying to get VLANs to work for the past three days. Thank you. I am glad I found this forum. I will try the config you mentioned and let you know how it worked. But I need to know how did you release the IP and config from the interface BVI1 and make it no ip address no ip route-cache. Here is my example using IOS 12.2 on a AP1200

!

ssid Guest

vlan 10

authentication open

!

ssid LAB

vlan 11

authentication open

authentication network-eap eap_methods

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

station-role root

!

interface Dot11Radio0.10

encapsulation dot1Q 10 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 11

bridge-group 11 subscriber-loop-control

bridge-group 11 block-unknown-source

no bridge-group 11 source-learning

no bridge-group 11 unicast-flooding

bridge-group 11 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

ntp broadcast client

!

interface FastEthernet0.10

encapsulation dot1Q 10 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 11

no bridge-group 11 source-learning

bridge-group 11 spanning-disabled

!

interface BVI1

ip address 192.168.0.200 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.0.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip radius source-interface BVI1

radius-server host 192.168.0.92 auth-port 1645 acct-port 1646 key xxxxx

radius-server retransmit 3

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

!

line con 0

line vty 5 15

!

ntp clock-period 2861628

ntp server 192.168.0.92

end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card