11-19-2014 08:41 AM - edited 07-05-2021 01:58 AM
Hi,
I'm building a lab with WLC4404 and freeradius + daloradius gui.
WLC can comunicate with the freeradius but my problem is that the users can login and no matter in which SSID they connect they get in.
I want to know the way to policy this on the freeradius or the WLC with the AVpairs as every user should remain in a specific SSID.
Thanks,
11-19-2014 09:28 AM
HI,
I am not sure if this is what you wnat to hear or not!
You can use mac filtering feature on WLC for WLANs.
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html
Regards
Dont forget to rate helpful posts
11-19-2014 09:53 AM
Hi and thanks for your answer,
Unfortunately mac filtering didn´t fit my requirements as the final implementation will be around 100 LAPs and 1000 users (BYOD).
Regards,
11-21-2014 01:14 AM
Hi,
Right now the freeradius is passing the ssid value to the WLC but when the user is registered it get moved from the assigned vlan in freeradius to the one that he try to connect.
This is the message of the WLC:
DISCONECT_MOBILE_DUE_TO_WLAN_SW: apf_policy.c:577 Disconnecting mobile #:#:#:#:#:# due to switch of WLANs from 3(STAFF) to 1(STUDENTS)
Is any way to change this WLC behavior so if the assigned WLAN is not the same as the one that the user is trying to connect the WLC reject the connection.
Thanks,
11-21-2014 01:27 AM
This can be a problem in WLC software.
I don't have any experience with free radius server but if you ISE or ACS then you do it by AAA override option.
May be this doc helps:
http://kb.netgear.com/ci/fattach/get/126/1317294811/redirect/1/session/L2F2LzEvdGltZS8xNDE2NTYxNzc5L3NpZC9hbFF0NVo3bQ==/filename/Dynamic%20VLAN%20Assignment%20using%20RADIUS.pdf
http://serverfault.com/questions/300735/dynamic-vlans-with-freeradius-openldap-cisco-wlc
Regards
11-21-2014 02:36 AM
Hi Sandeep,
AAA override is enabled in the WLC and the software version is the 7.0.250 that is the last one for the WLC4404 series.
Regards,
11-21-2014 02:56 AM
Hi,
Then you must check ur freeRadius server configuration.
Check this doc:
http://freeradius.org/doc/
Regards
12-02-2014 05:13 AM
Hi Sandeep,
Finally i managed to implement it but instead enforcing the vlans in the WLC i modified the freeradius config to issue a SSID check against the user group name (for example students) and now is working smoothly.
Thanks,
12-02-2014 07:14 AM
Hi, great to hear that you got it working.
mostly it always to do with RADuS server because on WLC you just have to mention ip of server.
Regards
05-29-2015 03:28 PM
Hola Saul
Te escribo desde Colombia para pedirte ayuda, me podrias indicar como lo hiciste funcionar, que el modificaste a la configuración del freeradius, por ahí leí que hay un parametro DNIS que envia el SSID al cual se debe conectar cada usuario.
Quedo atento, y muchas gracias por tu tiempo.
06-01-2015 05:47 PM
Please refer to the below link :
http://serverfault.com/questions/399741/restrict-freeradius-clients-to-access-service-from-different-lans-with-same-user
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide