Hi Matthew, I checked that out and it's configured as you suggested. The AAA Override option is enabled.
The vlan attributes are these: Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = VLAN_ID It works fine when we use the AP against the radius server, but when we use the WLC against the Radius server the process is not getting to the attributes assignment part, because (I guess) it's not getting something in the Huntgroup variable. This is the difference. The one that works: server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++? if (!Huntgroup-Name) ? Evaluating !(Huntgroup-Name) -> FALSE ++? if (!Huntgroup-Name) -> FALSE ++? if (Huntgroup-Name == "list") ? Evaluating (Huntgroup-Name == "list") -> TRUE ++? if (Huntgroup-Name == "list") -> TRUE ++- entering if (Huntgroup-Name == "list") {...} +++? if (Ldap-Group == "WIFI-Direccion") "WIFI-Direccion" is the first LDAP group to check if the user is in. The one that does not work: server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++? if (!Huntgroup-Name) ? Evaluating !(Huntgroup-Name) -> TRUE ++? if (!Huntgroup-Name) -> TRUE ++- entering if (!Huntgroup-Name) {...} +++[reply] returns ok ++- if (!Huntgroup-Name) returns ok ++? if (Huntgroup-Name == "list") (Attribute Huntgroup-Name was not found) Apart from this, I see differencies in other parts of the radius debug like this: The one that works: rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=199, length=136 User-Name = "fcanales" Framed-MTU = 1400 Called-Station-Id = "001d.4551.7da0" Calling-Station-Id = "5894.6b0d.e86c" Service-Type = Login-User Message-Authenticator = 0x645687565f9d60e3b76f5ffac29b74a1 EAP-Message = 0x0202000d016663616e616c6573 NAS-Port-Type = Wireless-802.11 NAS-Port = 59460 NAS-IP-Address = 10.32.2.39 NAS-Identifier = "ap-Reco32" The one that does not work: rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=113, length=232 User-Name = "fcanales" Calling-Station-Id = "58-94-6b-0d-e8-6c" Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051" NAS-IP-Address = 10.32.2.81 NAS-Identifier = "Iplan_wcs" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "60" EAP-Message = 0x0202000d016663616e616c6573 Message-Authenticator = 0x77344c030301e2389311b1dde163a5b7 The differencies in "Calling-Station-Id", "Called-Station-Id" and " Service-Type", for example. Is it posible that WCL is sending the information in a way that Radius cannot process? Thanks!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html