Task: Assign different Static VLAN id's through ACS based on user. If
Client-1 connects assign VLAN 224 and if client-2 connects assign VLAn698.
First two ssid's were configured for each VLAN. mypsk(WPA2/PSK) for VLAN224
and mypsk2(WPA2 Enterprise) for VLAN698. They work fine when client-1 is
connected to mypsk2.
When ACS is modified with Static VLAN config there is an issue when
client-1 connects as he does not get IP address for VLAN224. ACS shows
succeeded and relevant Authorization profile is touched and VLAn attribute
is shown.
debug radius command on ACS shows AAA unsupported Attr. ssid and AAA
unsupported Attr: interface.
*************Bridge config**********
aaa new-model
!
!
aaa authentication login eap_methods group radius
radius-server host 172.24.223.105 auth-port 1812 acct-port 1812 key 7
070C285F4D 06485744
aaa authorization network default group radius
dot11 mbssid
dot11 ssid mypsk
vlan 224
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 121A0C0411045D5679
!
dot11 ssid mypsk2
vlan 698
authentication open eap eap_methods
authentication key-management wpa
mbssid guest-mode
interface Dot11Radio0
!
encryption mode ciphers aes-ccm
!
encryption vlan 224 mode ciphers aes-ccm
!
encryption vlan 698 mode ciphers aes-ccm
!
ssid mypsk
!
ssid mypsk2
!
station-role root
!
interface Dot11Radio0.224
encapsulation dot1Q 224 native
bridge-group 1
!
interface Dot11Radio0.698
encapsulation dot1Q 698
bridge-group 2
!
interface FastEthernet0
interface FastEthernet0.224
encapsulation dot1Q 224 native
bridge-group 1
!
interface FastEthernet0.698
encapsulation dot1Q 698
bridge-group 2
*********************************END Bridge Config*********************
*****************************************bridge debug error***************
*Mar 1 05:56:30.977: RADIUS/ENCODE(00000500):Orig. component type = DOT11
*Mar 1 05:56:30.977: RADIUS: AAA Unsupported Attr: ssid
[265] 6
*Mar 1 05:56:30.978: RADIUS: 6D 79 70 73
[myps]
*Mar 1 05:56:30.978: RADIUS: AAA Unsupported Attr: interface
[157] 4
*Mar 1 05:56:30.978: RADIUS: 31 35
[15]
*Mar 1 05:56:30.978: RADIUS(00000500): Config NAS IP: 0.0.0.0
*Mar 1 05:56:30.978: RADIUS/ENCODE(00000500): acct_session_id: 1280
*Mar 1 05:56:30.978: RADIUS(00000500): sending
*Mar 1 05:56:30.979: RADIUS/ENCODE: Best Local IP-Address 172.24.223.99
for Rad
ius-Server 172.24.223.105
*Mar 1 05:56:30.979: RADIUS(00000500): Send Access-Request to
172.24.223.105:18
12 id 1645/77, len 131
*Mar 1 05:56:30.979: RADIUS: authenticator 34 73 0A E2 77 D8 67 A7 - 5C
63 0B
D2 C5 C8 20 D6
*Mar 1 05:56:30.979: RADIUS: User-Name [1] 10 "client-1"
*Mar 1 05:56:30.979: RADIUS: Framed-MTU [12] 6 1400
*Mar 1 05:56:30.980: RADIUS: Called-Station-Id [30] 16
"001d.a2ca.09c1"
*Mar 1 05:56:30.980: RADIUS: Calling-Station-Id [31] 16
"6c88.1424.6404"
*Mar 1 05:56:30.980: RADIUS: Service-Type [6] 6 Login
[1]
*Mar 1 05:56:30.980: RADIUS: Message-Authenticato[80] 18
*Mar 1 05:56:30.980: RADIUS: 5F 89 BB A6 02 72 B2 39 BC CB 43 11 C1 FC
15 A1
[_????r?9??C?????]
*Mar 1 05:56:30.980: RADIUS: EAP-Message [79] 15
*Mar 1 05:56:30.981: RADIUS: 02 01 00 0D 01 63 6C 69 65 6E 74 2D 31
[?????client-1]
*Mar 1 05:56:30.981: RADIUS: NAS-Port-Type [61] 6 802.11
wireless
[19]
*Mar 1 05:56:30.981: RADIUS: NAS-Port [5] 6 1531
*Mar 1 05:56:30.981: RADIUS: NAS-Port-Id [87] 6 "1531"
*Mar 1 05:56:30.981: RADIUS: NAS-IP-Address [4] 6 172.24.223.99
*Mar 1 05:56:31.048: RADIUS: Received from id 1645/77 172.24.223.105:1812,
Acce
ss-Challenge, len 85
*Mar 1 05:56:31.049: RADIUS: authenticator 3E F1 2E 58 88 E4 78 6A - F4
0C FC
6E C9 AB C0 25
*Mar 1 05:56:31.049: RADIUS: State [24] 39
*Mar 1 05:56:31.049: RADIUS: 33 34 53 65 73 73 69 6F 6E 49 44 3D 74 72
69 61
[34SessionID=tria]
*Mar 1 05:56:31.049: RADIUS: 6C 61 63 73 2D 31 2F 31 36 32 33 32 34 32
38 31
[lacs-1/162324281]
*Mar 1 05:56:31.049: RADIUS: 2F 38 34 31 3B
[/841;]
*Mar 1 05:56:31.050: RADIUS: EAP-Message [79] 8
*Mar 1 05:56:31.050: RADIUS: 01 95 00 06 0D 20
pe = DOT11
*Mar 1 05:56:31.058: RADIUS: AAA Unsupported Attr: ssid
[265] 6
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
