Cisco WISM + Radius to select VLAN
Hi All, We have the Cisco WISM solution up and running. I have set up a new WLAN SSID with web based auth. I now want to put the users in different VLANs depending on who they are using the RADIUS reply. I have ticked the 'Allow AAA Override' box and i'm sending back the following RADIUS attributes: Sending Access-Accept of id 50 to 172.17.107.242 port 32769 Airespace-Interface-Name = np8ss0 Service-Type = Login-User Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = 449 Airespace-Wlan-Id = 3 These are correctly received by the WISM: Packet contains 6 AVPs: AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) AVP[02] Service-Type...0x0001 (1) (4 bytes) AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) AVP[04] Tunnel-Type0x000d (13) (4 bytes) AVP[05] Tunnel-Group-Id449 (3 bytes) AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) but the client still remains in the default VLAN (i.e. is not moved to 449). Does anybody know: Am i sending the correct attributes back? What the magic incantation to make it work is? We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. Many Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN
James, The client should be moved to the vlan specified in Airespace / Interface-Name attribute, not Tunnel-Group-ID. Do you have a dynamic interface called np8ss0 in your WLC? Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 -Original Message- From: James J J Hooper [mailto:[EMAIL PROTECTED] Sent: October-22-07 12:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN Hi All, We have the Cisco WISM solution up and running. I have set up a new WLAN SSID with web based auth. I now want to put the users in different VLANs depending on who they are using the RADIUS reply. I have ticked the 'Allow AAA Override' box and i'm sending back the following RADIUS attributes: Sending Access-Accept of id 50 to 172.17.107.242 port 32769 Airespace-Interface-Name = np8ss0 Service-Type = Login-User Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = 449 Airespace-Wlan-Id = 3 These are correctly received by the WISM: Packet contains 6 AVPs: AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) AVP[02] Service-Type...0x0001 (1) (4 bytes) AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) AVP[04] Tunnel-Type0x000d (13) (4 bytes) AVP[05] Tunnel-Group-Id449 (3 bytes) AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) but the client still remains in the default VLAN (i.e. is not moved to 449). Does anybody know: Am i sending the correct attributes back? What the magic incantation to make it work is? We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. Many Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN
Hi Dennis, Yes there is a np8ss0 dynamic i/f. I have tried combinations of just the VLAN type attributes and just the airespace attributes and with both - no joy with either. -James On 22 Oct 2007, at 22:35, Dennis Xu wrote: James, The client should be moved to the vlan specified in Airespace / Interface-Name attribute, not Tunnel-Group-ID. Do you have a dynamic interface called np8ss0 in your WLC? Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 -Original Message- From: James J J Hooper [mailto:[EMAIL PROTECTED] Sent: October-22-07 12:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN Hi All, We have the Cisco WISM solution up and running. I have set up a new WLAN SSID with web based auth. I now want to put the users in different VLANs depending on who they are using the RADIUS reply. I have ticked the 'Allow AAA Override' box and i'm sending back the following RADIUS attributes: Sending Access-Accept of id 50 to 172.17.107.242 port 32769 Airespace-Interface-Name = np8ss0 Service-Type = Login-User Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = 449 Airespace-Wlan-Id = 3 These are correctly received by the WISM: Packet contains 6 AVPs: AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) AVP[02] Service-Type...0x0001 (1) (4 bytes) AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) AVP[04] Tunnel-Type0x000d (13) (4 bytes) AVP[05] Tunnel-Group-Id449 (3 bytes) AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) but the client still remains in the default VLAN (i.e. is not moved to 449). Does anybody know: Am i sending the correct attributes back? What the magic incantation to make it work is? We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. Many Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN
James, From this documentation: http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/gu ide/c40sol.html#wp1086421 The VLAN feature only supports MAC filtering, 802.1X, and WPA. The VLAN feature does not support Web Authentication or IPSec That might be the issue for you. Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 -Original Message- From: James J J Hooper [mailto:[EMAIL PROTECTED] Sent: October-22-07 5:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN Hi Dennis, Yes there is a np8ss0 dynamic i/f. I have tried combinations of just the VLAN type attributes and just the airespace attributes and with both - no joy with either. -James On 22 Oct 2007, at 22:35, Dennis Xu wrote: James, The client should be moved to the vlan specified in Airespace / Interface-Name attribute, not Tunnel-Group-ID. Do you have a dynamic interface called np8ss0 in your WLC? Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 -Original Message- From: James J J Hooper [mailto:[EMAIL PROTECTED] Sent: October-22-07 12:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN Hi All, We have the Cisco WISM solution up and running. I have set up a new WLAN SSID with web based auth. I now want to put the users in different VLANs depending on who they are using the RADIUS reply. I have ticked the 'Allow AAA Override' box and i'm sending back the following RADIUS attributes: Sending Access-Accept of id 50 to 172.17.107.242 port 32769 Airespace-Interface-Name = np8ss0 Service-Type = Login-User Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = 449 Airespace-Wlan-Id = 3 These are correctly received by the WISM: Packet contains 6 AVPs: AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) AVP[02] Service-Type...0x0001 (1) (4 bytes) AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) AVP[04] Tunnel-Type0x000d (13) (4 bytes) AVP[05] Tunnel-Group-Id449 (3 bytes) AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) but the client still remains in the default VLAN (i.e. is not moved to 449). Does anybody know: Am i sending the correct attributes back? What the magic incantation to make it work is? We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. Many Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
