RE: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN
James, >From this documentation: http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/gu ide/c40sol.html#wp1086421 "The VLAN feature only supports MAC filtering, 802.1X, and WPA. The VLAN feature does not support Web Authentication or IPSec" That might be the issue for you. Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 -Original Message- From: James J J Hooper [mailto:[EMAIL PROTECTED] Sent: October-22-07 5:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN Hi Dennis, Yes there is a "np8ss0" dynamic i/f. I have tried combinations of just the VLAN type attributes and just the airespace attributes and with both - no joy with either. -James On 22 Oct 2007, at 22:35, Dennis Xu wrote: > James, > > The client should be moved to the vlan specified in "Airespace / > Interface-Name" attribute, not "Tunnel-Group-ID". Do you have a > dynamic > interface called "np8ss0" in your WLC? > > > Dennis Xu > Network Analyst(CCS) > University of Guelph > 5198244120 x 56217 > > -Original Message- > From: James J J Hooper [mailto:[EMAIL PROTECTED] > Sent: October-22-07 12:43 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN > > Hi All, > We have the Cisco WISM solution up and running. I have set up a new > WLAN > SSID with web based auth. I now want to put the users in different > VLANs > > depending on who they are using the RADIUS reply. I have ticked the > 'Allow > AAA Override' box and i'm sending back the following RADIUS > attributes: > > Sending Access-Accept of id 50 to 172.17.107.242 port 32769 > Airespace-Interface-Name = "np8ss0" > Service-Type = Login-User > Tunnel-Medium-Type = IEEE-802 > Tunnel-Type = VLAN > Tunnel-Private-Group-Id = "449" > Airespace-Wlan-Id = 3 > > These are correctly received by the WISM: > > Packet contains 6 AVPs: > AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) > AVP[02] Service-Type...0x0001 (1) (4 bytes) > AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) > AVP[04] Tunnel-Type0x000d (13) (4 bytes) > AVP[05] Tunnel-Group-Id449 (3 bytes) > AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) > > > but the client still remains in the default VLAN (i.e. is not moved to > 449). > > > Does anybody know: Am i sending the correct attributes back? > > What the magic incantation to make it work is? > > We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. > > Many Thanks, > James > > -- > James J J Hooper > Network Specialist > Information Services > University of Bristol > http://www.wireless.bris.ac.uk > -- > > ** > Participation and subscription information for this EDUCAUSE > Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http:// > www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN
Hi Dennis, Yes there is a "np8ss0" dynamic i/f. I have tried combinations of just the VLAN type attributes and just the airespace attributes and with both - no joy with either. -James On 22 Oct 2007, at 22:35, Dennis Xu wrote: James, The client should be moved to the vlan specified in "Airespace / Interface-Name" attribute, not "Tunnel-Group-ID". Do you have a dynamic interface called "np8ss0" in your WLC? Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 -Original Message- From: James J J Hooper [mailto:[EMAIL PROTECTED] Sent: October-22-07 12:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN Hi All, We have the Cisco WISM solution up and running. I have set up a new WLAN SSID with web based auth. I now want to put the users in different VLANs depending on who they are using the RADIUS reply. I have ticked the 'Allow AAA Override' box and i'm sending back the following RADIUS attributes: Sending Access-Accept of id 50 to 172.17.107.242 port 32769 Airespace-Interface-Name = "np8ss0" Service-Type = Login-User Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = "449" Airespace-Wlan-Id = 3 These are correctly received by the WISM: Packet contains 6 AVPs: AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) AVP[02] Service-Type...0x0001 (1) (4 bytes) AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) AVP[04] Tunnel-Type0x000d (13) (4 bytes) AVP[05] Tunnel-Group-Id449 (3 bytes) AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) but the client still remains in the default VLAN (i.e. is not moved to 449). Does anybody know: Am i sending the correct attributes back? What the magic incantation to make it work is? We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. Many Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN
James, The client should be moved to the vlan specified in "Airespace / Interface-Name" attribute, not "Tunnel-Group-ID". Do you have a dynamic interface called "np8ss0" in your WLC? Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 -Original Message- From: James J J Hooper [mailto:[EMAIL PROTECTED] Sent: October-22-07 12:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN Hi All, We have the Cisco WISM solution up and running. I have set up a new WLAN SSID with web based auth. I now want to put the users in different VLANs depending on who they are using the RADIUS reply. I have ticked the 'Allow AAA Override' box and i'm sending back the following RADIUS attributes: Sending Access-Accept of id 50 to 172.17.107.242 port 32769 Airespace-Interface-Name = "np8ss0" Service-Type = Login-User Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = "449" Airespace-Wlan-Id = 3 These are correctly received by the WISM: Packet contains 6 AVPs: AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) AVP[02] Service-Type...0x0001 (1) (4 bytes) AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) AVP[04] Tunnel-Type0x000d (13) (4 bytes) AVP[05] Tunnel-Group-Id449 (3 bytes) AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) but the client still remains in the default VLAN (i.e. is not moved to 449). Does anybody know: Am i sending the correct attributes back? What the magic incantation to make it work is? We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. Many Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
