Yeah that makes sense. Thanks. The last time I looked at this I was thinking about having them switch VLANs after authenticating via the captive portal not 802.1x.
John -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W Sent: Friday, July 08, 2011 8:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment The 802.1X authentication and VLAN assignment occurs before the client even get an ip address. We are implementing 802.1X with Aruba this summer. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -----Original Message----- From: John Kaftan [mailto:jkaf...@utica.edu] Sent: Thursday, July 07, 2011 7:31 PM Subject: Re: Proxim APs and 802.1X RADIUS VLAN assignment I have fantasized about doing this but have feared the VLAN change would not prompt the clients to ask for a new IP. Looks like you have a different issue but do you know, if you get the VLAN switching working, how the clients will realize they need to ask for another IP? As for troubleshooting have you captured any packets between the controller and your LAN infrastructure to see if your wireless is tagging the packets? Do you have reporting at the controller that can tell you if it is receiving the attribute correctly? You could capture the RADIUS packet at it leaves the server to see if the attribute is being passed to your controller as you believe it is. John On 7/7/2011 11:47 AM, Jethro R Binks wrote: > Hello all, > > I've been having problems using 802.1X authentication, or more > specifically, assignment of VLANs based on the RADIUS attributes. > > Goal is to have one SSID, "eduroam", to which both visitors and local > users authenticate when using the wireless service. Visitors remain > in the VLAN to which the SSID is associated, and local users onsite > are switched into a different VLAN based on attributes from the Radius > server backend. > > In brief: > > I am running the latest v4.0.12 code (but had problems with previous > versions too). > > I believe I have followed to the letter the Proxim knowledgebase > article (which was updated a while ago ("VLAN Assignment by RADIUS"). > > I have tested with a variety of clients (Windows laptop, Windows > mobile, Apple i-things). > > With no VLAN assignment (i.e., none of the Tunnel- attributes being > sent by RADIUS), it usually works OK (sometimes with a couple of > retries); but the local user remains in the "visitor" VLAN as expected. > > With the VLAN assignment enabled, it will usually NOT work. Once in a > while you might get lucky and get connected to the right VLAN and get > an address from DHCP, but it is very inconsistent and unreliable. As > far as I can surmise, the problem is likeliest to lie with the AP. > > Since it does occasionally work, the basic infrastructure appears to > be sound. > > So, I'm reaching out there to find if there are any other people doing > something this with Proxim APs (AP4000 in particular), to see if you > have seen these problems with other vendor or found a fix. Or, > alternatively, maybe it isn't the AP, but something else you can > suggest that might cause this inconsistent behaviour. > > Thanks for any thoughts, > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks, Network Manager, > Information Services Directorate, University Of Strathclyde, Glasgow, > UK > > The University of Strathclyde is a charitable body, registered in > Scotland, number SC015263. > > ********** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
