That is not entirely correct. AAA Override simply means that the WLC will use the RADIUS attributes that are sent by the RADIUS server, in addition to allowing the client based on an Access-Accept message. It does not require mapping the SSID to the Management interface (and there may be important security reasons not to do so.)
If he wants to map a user/usergroup to a particular VLAN, what you provided is one way of doing it. Just make sure that the VLAN is already created as an interface on the WLC. You can also return a cisco-av-pair attribute using the interface name on the WLC instead of the three IETF values. https://supportforums.cisco.com/docs/DOC-22473 has a good explanation of AAA Override and VLAN assignment, using the three IETF values. I was trying to find an example for the Cisco-AV-Pair aire-interface-name usage. Jason Boyers, CCIE #26024 (Wireless) Blog: netboyers.wordpress.com On Sun, Jul 29, 2012 at 7:16 PM, Austin Mantz <[email protected]> wrote: > > > To use AAA override the SSID must be mapped to the management interface. > You will also need the following Attributes set in you RADIUS server. > [064] Tunnel-Type > [065] Tunnel-Medium-Type > [081] Tunnel-Private-Group-ID > > > Austin > > > > On 7/29/12 6:54 PM, "[email protected]" > <[email protected]> wrote: > > >Send CCIE_Wireless mailing list submissions to > > [email protected] > > > >To subscribe or unsubscribe via the World Wide Web, visit > > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > >or, via email, send a message with subject or body 'help' to > > [email protected] > > > >You can reach the person managing the list at > > [email protected] > > > >When replying, please edit your Subject line so it is more specific > >than "Re: Contents of CCIE_Wireless digest..." > > > > > >Today's Topics: > > > > 1. Re: CCIE_Wireless Digest, Vol 38, Issue 20 (Tariq Mahmood) > > > > > >---------------------------------------------------------------------- > > > >Message: 1 > >Date: Sun, 29 Jul 2012 15:54:29 -0700 (PDT) > >From: Tariq Mahmood <[email protected]> > >To: "[email protected]" > > <[email protected]> > >Subject: Re: [OSL | CCIE_Wireless] CCIE_Wireless Digest, Vol 38, Issue > > 20 > >Message-ID: > > <[email protected]> > >Content-Type: text/plain; charset="iso-8859-1" > > > >hi : > >? > >I one question about aaa override feature.? I have end filter configured > >on the radius server and client vlan is not changing client is staying in > >the same wlan mapped to same vlan.? there is any benefit of configuring > >aaa override ? > > > >From: "[email protected]" > ><[email protected]> > >To: [email protected] > >Sent: Monday, June 25, 2012 1:28 PM > >Subject: CCIE_Wireless Digest, Vol 38, Issue 20 > > > >Send CCIE_Wireless mailing list submissions to > >??? [email protected] > > > >To subscribe or unsubscribe via the World Wide Web, visit > >??? http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > >or, via email, send a message with subject or body 'help' to > >??? [email protected] > > > >You can reach the person managing the list at > >??? [email protected] > > > >When replying, please edit your Subject line so it is more specific > >than "Re: Contents of CCIE_Wireless digest..." > > > > > >Today's Topics: > > > >? 1. Re: 1242 capwap with poe module and switchport in vlan trunk > >? ? ? mode (Kristj?n ?lafur E?var?sson) > >? 2. Re: 1242 capwap with poe module and switchport in vlan trunk > >? ? ? mode (Kristj?n ?lafur E?var?sson) > > > > > >---------------------------------------------------------------------- > > > >Message: 1 > >Date: Mon, 25 Jun 2012 17:08:15 +0000 > >From: Kristj?n ?lafur E?var?sson <[email protected]> > >To: Jason Boyers <[email protected]>, "Victor Platov (viplatov)" > >??? <[email protected]> > >Cc: "[email protected]" > >??? <[email protected]> > >Subject: Re: [OSL | CCIE_Wireless] 1242 capwap with poe module and > >??? switchport in vlan trunk mode > >Message-ID: <2426A68554621145BDCFB71806B8FB6F1F8B140B@EXCH> > >Content-Type: text/plain; charset="iso-8859-1" > > > >I simply am managing to break this simply by changing from trunk to > >access mode > >and back again. The mac address disapears as soon as I change to trunk > >mode. > > > >I checked all HREAP configuration for that AP and it is in native vlan > >113. > > > >I just tested to set the AP to local mode with vlan trunk native on 113 > >on the switch. > >which should work but the same results. > > > > > >From: Jason Boyers [mailto:[email protected]] > >Sent: 25. j?n? 2012 16:18 > >To: Victor Platov (viplatov) > >Cc: Ron Marosko; Kristj?n ?lafur E?var?sson; > >[email protected] > >Subject: Re: [OSL | CCIE_Wireless] 1242 capwap with poe module and > >switchport in vlan trunk mode > > > >True. Victor, that when connected to the power injector, he wouldn't be > >able to check the WLC config.? However, it appears to be working when in > >access mode, so he can connect that way, then check the WLC config, > > > >The other show commands would be helpful as well. > > > >Jason Boyers, CCIE #26024 (Wireless) > >Blog: netboyers.wordpress.com<http://netboyers.wordpress.com/> > > > >On Mon, Jun 25, 2012 at 11:52 AM, Victor Platov (viplatov) > ><[email protected]<mailto:[email protected]>> wrote: > >I've seen that due to power injector misconfiguration AP doesn't bring up > >its radio interfaces but not being stuck. Moreover, It had being > >connected to the WLC before, hence I think it's not the issue. > >If the switch isn't showing the AP's MAC I suppose CAPWAP tunnel is > >down...so I'm afraid Kristj?n could not check it through WLC. > > > >Kristj?n, > > > >What are the outputs of the following commands from the switch: > >Show cdp neighb > >Sh run intf ... > >Sh int .... > >Sh intf .... Switchport > >Sh intf ... trunk > >Sh vlan > > > >From: > >[email protected]<mailto: > ccie_wireless-bounces@onl > >inestudylist.com> > >[mailto:[email protected]<mailto: > ccie_wireless-bou > >[email protected]>] On Behalf Of Jason Boyers > >Sent: Monday, June 25, 2012 6:59 PM > >To: Ron Marosko > >Cc: Kristj?n ?lafur E?var?sson; > >[email protected]<mailto: > [email protected] > >> > >Subject: Re: [OSL | CCIE_Wireless] 1242 capwap with poe module and > >switchport in vlan trunk mode > > > >What does "show cdp neighbor" show from the console of the AP when > >connected in the fashion you are describing?? This may also be an issue > >in terms of the WLC config of the AP.? What do you have for the "Power > >Injector State" and "Power Injector Selection" under the AP config > >Advanced tab? > > > >Jason Boyers, CCIE #26024 (Wireless) > >Blog: netboyers.wordpress.com<http://netboyers.wordpress.com/> > >On Mon, Jun 25, 2012 at 9:31 AM, Ron Marosko > ><[email protected]<mailto:[email protected]>> wrote: > >Make sure you define "switchport trunk native vlan x" to define the vlan > >upon which untagged packets should reside. By default, this will be vlan > >1, and if you are using a different vlan id in your access vlan command, > >then that would be why the mac address isn't showing up in the expected > >vlan.? The access point in default or unconfigured mode has no idea about > >any vlan tags, and thus is always sending untagged packets. Only when you > >configure the access point in HREAP mode will it start to even attempt to > >use 802.1q tags, if appropriately configured. > > > >Regards, > >? Ron > > > >-- > >Ron Marosko, Jr. > >. . . . . . . . . . . . . . . . . . . . . . . . . . > >CCIE No. 4526 (R/S), CWNA, ACMA, NN5DX > >Consulting Network Architect > >Global Technology Resources,Inc. > >1108 West Dickinson Blvd, Suite A > >Fort Stockton, TX 79735 USA > >o: +1 432 336 5600 x110<tel:%2B1%20432%20336%205600%20x110> > >c: +1 720 233 3147<tel:%2B1%20720%20233%203147> > >e: [email protected]<mailto:[email protected]> > >pgp pubkey: 0x58AB8B5C > >"To know me is to fly with me." > > > > > > > >-----Original Message----- > >From: > >[email protected]<mailto: > ccie_wireless-bounces@onl > >inestudylist.com> > >[mailto:[email protected]<mailto: > ccie_wireless-bou > >[email protected]>] On Behalf Of Kristj?n ?lafur E?var?sson > >Sent: Monday, June 25, 2012 8:16 AM > >To: > >[email protected]<mailto: > [email protected] > >> > >Subject: [OSL | CCIE_Wireless] 1242 capwap with poe module and switchport > >in vlan trunk mode > > > >I have been troubleshooting a capwap ap connectivity. > >The ap is 1242 with poe injector (if it is relevant) and works fine on a > >access vlan. > >Now puting the port to trunk mode (native vlan correct and the same as it > >was on access) However when I change to trunk mode the AP Mac address > >disapears from the interface mac table and I cant communicate get an DHCP > >or whatever. > > > >Has anyone seen something like that ? > > > >I tried clear capwap private config, > >reload the switch, > >shut un shut ports. > > > >Still the MAC address just isn?t learned and this is the core of the > >problem. Its a 3560 switch. > >As soon as I change to access mode the mac is learned instantly. > > > >I have never seen this issue before, wonder if someone knows anything. > > > >regards. Kristjan > >_______________________________________________ > >For more information regarding industry leading CCIE Lab training, please > >visit www.ipexpert.com<http://www.ipexpert.com/> > > > >Are you a CCNP or CCIE and looking for a job? Check out > >www.PlatinumPlacement.com<http://www.platinumplacement.com/> > >This message contains confidential information and is intended only for > >the individual named. Please notify the sender immediately by e-mail if > >you have received this e-mail by mistake and delete this e-mail from your > >system. Any opinions presented in this email are solely those of the > >author and do not necessarily represent those of the company. E-mail > >transmission cannot be guaranteed to be secure or error-free; the sender > >therefore does not accept liability for any errors or omissions in the > >contents of this message, which arise as a result of e-mail transmission. > >_______________________________________________ > >For more information regarding industry leading CCIE Lab training, please > >visit www.ipexpert.com<http://www.ipexpert.com/> > > > >Are you a CCNP or CCIE and looking for a job? Check out > >www.PlatinumPlacement.com<http://www.platinumplacement.com/> > > > > > >-------------- next part -------------- > >An HTML attachment was scrubbed... > >URL: > ></archives/ccie_wireless/attachments/20120625/7e6964a5/attachment-0001.htm > >l> > > > >------------------------------ > > > >Message: 2 > >Date: Mon, 25 Jun 2012 17:28:44 +0000 > >From: Kristj?n ?lafur E?var?sson <[email protected]> > >To: Jason Boyers <[email protected]>, "Victor Platov (viplatov)" > >??? <[email protected]> > >Cc: "[email protected]" > >??? <[email protected]> > >Subject: Re: [OSL | CCIE_Wireless] 1242 capwap with poe module and > >??? switchport in vlan trunk mode > >Message-ID: <2426A68554621145BDCFB71806B8FB6F1F8B145E@EXCH> > >Content-Type: text/plain; charset="iso-8859-1" > > > >Guys I have found the problem. > > > >no vlan dot1q tag native > >it was configured on my switch before ! > >so the AP wants to send untagged packets on vlan113 > >but the switch tags native vlan packets so this way the communication > >doesn?t? work. > > > >it was a tricky one :D > > > >regards. Kristjan > > > >From: Jason Boyers [mailto:[email protected]] > >Sent: 25. j?n? 2012 16:18 > >To: Victor Platov (viplatov) > >Cc: Ron Marosko; Kristj?n ?lafur E?var?sson; > >[email protected] > >Subject: Re: [OSL | CCIE_Wireless] 1242 capwap with poe module and > >switchport in vlan trunk mode > > > >True. Victor, that when connected to the power injector, he wouldn't be > >able to check the WLC config.? However, it appears to be working when in > >access mode, so he can connect that way, then check the WLC config, > > > >The other show commands would be helpful as well. > > > >Jason Boyers, CCIE #26024 (Wireless) > >Blog: netboyers.wordpress.com<http://netboyers.wordpress.com/> > > > >On Mon, Jun 25, 2012 at 11:52 AM, Victor Platov (viplatov) > ><[email protected]<mailto:[email protected]>> wrote: > >I've seen that due to power injector misconfiguration AP doesn't bring up > >its radio interfaces but not being stuck. Moreover, It had being > >connected to the WLC before, hence I think it's not the issue. > >If the switch isn't showing the AP's MAC I suppose CAPWAP tunnel is > >down...so I'm afraid Kristj?n could not check it through WLC. > > > >Kristj?n, > > > >What are the outputs of the following commands from the switch: > >Show cdp neighb > >Sh run intf ... > >Sh int .... > >Sh intf .... Switchport > >Sh intf ... trunk > >Sh vlan > > > >From: > >[email protected]<mailto: > ccie_wireless-bounces@onl > >inestudylist.com> > >[mailto:[email protected]<mailto: > ccie_wireless-bou > >[email protected]>] On Behalf Of Jason Boyers > >Sent: Monday, June 25, 2012 6:59 PM > >To: Ron Marosko > >Cc: Kristj?n ?lafur E?var?sson; > >[email protected]<mailto: > [email protected] > >> > >Subject: Re: [OSL | CCIE_Wireless] 1242 capwap with poe module and > >switchport in vlan trunk mode > > > >What does "show cdp neighbor" show from the console of the AP when > >connected in the fashion you are describing?? This may also be an issue > >in terms of the WLC config of the AP.? What do you have for the "Power > >Injector State" and "Power Injector Selection" under the AP config > >Advanced tab? > > > >Jason Boyers, CCIE #26024 (Wireless) > >Blog: netboyers.wordpress.com<http://netboyers.wordpress.com/> > >On Mon, Jun 25, 2012 at 9:31 AM, Ron Marosko > ><[email protected]<mailto:[email protected]>> wrote: > >Make sure you define "switchport trunk native vlan x" to define the vlan > >upon which untagged packets should reside. By default, this will be vlan > >1, and if you are using a different vlan id in your access vlan command, > >then that would be why the mac address isn't showing up in the expected > >vlan.? The access point in default or unconfigured mode has no idea about > >any vlan tags, and thus is always sending untagged packets. Only when you > >configure the access point in HREAP mode will it start to even attempt to > >use 802.1q tags, if appropriately configured. > > > >Regards, > >? Ron > > > >-- > >Ron Marosko, Jr. > >. . . . . . . . . . . . . . . . . . . . . . . . . . > >CCIE No. 4526 (R/S), CWNA, ACMA, NN5DX > >Consulting Network Architect > >Global Technology Resources,Inc. > >1108 West Dickinson Blvd, Suite A > >Fort Stockton, TX 79735 USA > >o: +1 432 336 5600 x110<tel:%2B1%20432%20336%205600%20x110> > >c: +1 720 233 3147<tel:%2B1%20720%20233%203147> > >e: [email protected]<mailto:[email protected]> > >pgp pubkey: 0x58AB8B5C > >"To know me is to fly with me." > > > > > > > >-----Original Message----- > >From: > >[email protected]<mailto: > ccie_wireless-bounces@onl > >inestudylist.com> > >[mailto:[email protected]<mailto: > ccie_wireless-bou > >[email protected]>] On Behalf Of Kristj?n ?lafur E?var?sson > >Sent: Monday, June 25, 2012 8:16 AM > >To: > >[email protected]<mailto: > [email protected] > >> > >Subject: [OSL | CCIE_Wireless] 1242 capwap with poe module and switchport > >in vlan trunk mode > > > >I have been troubleshooting a capwap ap connectivity. > >The ap is 1242 with poe injector (if it is relevant) and works fine on a > >access vlan. > >Now puting the port to trunk mode (native vlan correct and the same as it > >was on access) However when I change to trunk mode the AP Mac address > >disapears from the interface mac table and I cant communicate get an DHCP > >or whatever. > > > >Has anyone seen something like that ? > > > >I tried clear capwap private config, > >reload the switch, > >shut un shut ports. > > > >Still the MAC address just isn?t learned and this is the core of the > >problem. Its a 3560 switch. > >As soon as I change to access mode the mac is learned instantly. > > > >I have never seen this issue before, wonder if someone knows anything. > > > >regards. Kristjan > >_______________________________________________ > >For more information regarding industry leading CCIE Lab training, please > >visit www.ipexpert.com<http://www.ipexpert.com/> > > > >Are you a CCNP or CCIE and looking for a job? Check out > >www.PlatinumPlacement.com<http://www.platinumplacement.com/> > >This message contains confidential information and is intended only for > >the individual named. Please notify the sender immediately by e-mail if > >you have received this e-mail by mistake and delete this e-mail from your > >system. Any opinions presented in this email are solely those of the > >author and do not necessarily represent those of the company. E-mail > >transmission cannot be guaranteed to be secure or error-free; the sender > >therefore does not accept liability for any errors or omissions in the > >contents of this message, which arise as a result of e-mail transmission. > >_______________________________________________ > >For more information regarding industry leading CCIE Lab training, please > >visit www.ipexpert.com<http://www.ipexpert.com/> > > > >Are you a CCNP or CCIE and looking for a job? Check out > >www.PlatinumPlacement.com<http://www.platinumplacement.com/> > > > > > >-------------- next part -------------- > >An HTML attachment was scrubbed... > >URL: > ></archives/ccie_wireless/attachments/20120625/bf42828c/attachment.html> > > > >------------------------------ > > > >_______________________________________________ > >CCIE_Wireless mailing list > >[email protected] > >http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > > > > > >End of CCIE_Wireless Digest, Vol 38, Issue 20 > >********************************************* > >-------------- next part -------------- > >An HTML attachment was scrubbed... > >URL: > ></archives/ccie_wireless/attachments/20120729/d2413f61/attachment.html> > > > >------------------------------ > > > >_______________________________________________ > >CCIE_Wireless mailing list > >[email protected] > >http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > > > > > >End of CCIE_Wireless Digest, Vol 39, Issue 13 > >********************************************* > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
