Jeff, Thanks for the response! I made below changes and VLAN over ride works for SSID "mypsk2" with a caveat. As long as I am not touching the native VLAN (bridge mgmt), VLAN override works.
Example... VLAN 224 is native, V596 is configured on SSID "mypsk2". V698 is the ACS override. ACS is set to push V596 for client-1, V698 for client-2 , VLAN 224 for client-3 Client-3 does not work. ACS logs shows..client-3 is successfully connected and VLAN224 authorization profile is used. On the bridge show dot11 association shows the client on v596(???) with Auth failure. Simple SSID (mypsk) with V224 does not even work. To troubleshoot the V224, i did swap VLAN# and always the native VLAN is not happy to be shared with Wi-Fi clients. ***************** dot11 ssid mypsk vlan 224 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 121A0C0411045D5679 ! dot11 ssid mypsk2 vlan 596 authentication open eap eap_methods authentication key-management wpa version 2 mbssid guest-mode interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 224 mode ciphers aes-ccm ! encryption vlan 698 mode ciphers aes-ccm ! encryption mode ciphers aes-ccm ! encryption vlan 596 mode ciphers aes-ccm ! ssid mypsk ! ssid mypsk2 ! station-role root ! interface Dot11Radio0.224 encapsulation dot1Q 224 native no ip route-cache bridge-group 1 interface Dot11Radio0.596 encapsulation dot1Q 596 no ip route-cache bridge-group 3 interface Dot11Radio0.698 encapsulation dot1Q 698 no ip route-cache bridge-group 2 ap02#sh dot11 associations 6c88.1424.6404 Address : 6c88.1424.6404 Name : dwrc-wgb-ap02 IP Address : 0.0.0.0 Interface : Dot11Radio 0 Device : ccx-client Software Version : NONE CCX Version : 4 Client MFP : Off State : AAA_Auth Parent : self SSID : mypsk2 VLAN : 596 Hops to Infra : 1 Association Id : 2 Clients Associated: 0 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : WPAv2 Encryption : AES-CCMP Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -24 dBm Connected for : 0 seconds Signal to Noise : 68 dB Activity Timeout : 20 seconds Power-save : Off Last Activity : 0 seconds ago Apsd DE AC(s) : NONE Packets Input : 27 Packets Output : 27 Bytes Input : 3119 Bytes Output : 3846 Duplicates Rcvd : 0 Data Retries : 3 Decrypt Failed : 0 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0 ************************* On Fri, Jul 5, 2013 at 10:02 AM, Jeff Rensink <[email protected]> wrote: > What does the authorization profile look like on the ACS server for the > VLAN override? > > Also, when the client has connected to mypsk2, what does the detailed > "show dot11 associations [mac address]" look like? > > > On Thu, Jul 4, 2013 at 4:02 PM, Prasanna Yabaluri > <[email protected]>wrote: > >> >> Task: Assign different Static VLAN id's through ACS based on user. If >> Client-1 connects assign VLAN 224 and if client-2 connects assign VLAn698. >> >> First two ssid's were configured for each VLAN. mypsk(WPA2/PSK) for >> VLAN224 and mypsk2(WPA2 Enterprise) for VLAN698. They work fine when >> client-1 is connected to mypsk2. >> >> When ACS is modified with Static VLAN config there is an issue when >> client-1 connects as he does not get IP address for VLAN224. ACS shows >> succeeded and relevant Authorization profile is touched and VLAn attribute >> is shown. >> >> debug radius command on ACS shows AAA unsupported Attr. ssid and AAA >> unsupported Attr: interface. >> >> *************Bridge config********** >> aaa new-model >> ! >> ! >> aaa authentication login eap_methods group radius >> radius-server host 172.24.223.105 auth-port 1812 acct-port 1812 key 7 >> 070C285F4D 06485744 >> >> aaa authorization network default group radius >> >> dot11 mbssid >> >> dot11 ssid mypsk >> vlan 224 >> authentication open >> authentication key-management wpa >> mbssid guest-mode >> wpa-psk ascii 7 121A0C0411045D5679 >> ! >> dot11 ssid mypsk2 >> vlan 698 >> authentication open eap eap_methods >> authentication key-management wpa >> mbssid guest-mode >> >> interface Dot11Radio0 >> ! >> encryption mode ciphers aes-ccm >> ! >> encryption vlan 224 mode ciphers aes-ccm >> ! >> encryption vlan 698 mode ciphers aes-ccm >> ! >> ssid mypsk >> ! >> ssid mypsk2 >> ! >> station-role root >> ! >> interface Dot11Radio0.224 >> encapsulation dot1Q 224 native >> bridge-group 1 >> ! >> interface Dot11Radio0.698 >> encapsulation dot1Q 698 >> bridge-group 2 >> ! >> interface FastEthernet0 >> interface FastEthernet0.224 >> encapsulation dot1Q 224 native >> bridge-group 1 >> ! >> interface FastEthernet0.698 >> encapsulation dot1Q 698 >> bridge-group 2 >> >> *********************************END Bridge Config********************* >> *****************************************bridge debug error*************** >> *Mar 1 05:56:30.977: RADIUS/ENCODE(00000500):Orig. component type = DOT11 >> *Mar 1 05:56:30.977: RADIUS: AAA Unsupported Attr: ssid >> [265] 6 >> >> *Mar 1 05:56:30.978: RADIUS: 6D 79 70 73 >> >> [myps] >> *Mar 1 05:56:30.978: RADIUS: AAA Unsupported Attr: interface >> [157] 4 >> >> *Mar 1 05:56:30.978: RADIUS: 31 35 >> >> [15] >> *Mar 1 05:56:30.978: RADIUS(00000500): Config NAS IP: 0.0.0.0 >> *Mar 1 05:56:30.978: RADIUS/ENCODE(00000500): acct_session_id: 1280 >> *Mar 1 05:56:30.978: RADIUS(00000500): sending >> *Mar 1 05:56:30.979: RADIUS/ENCODE: Best Local IP-Address 172.24.223.99 >> for Rad >> ius-Server 172.24.223.105 >> *Mar 1 05:56:30.979: RADIUS(00000500): Send Access-Request to >> 172.24.223.105:18 >> 12 id 1645/77, len 131 >> *Mar 1 05:56:30.979: RADIUS: authenticator 34 73 0A E2 77 D8 67 A7 - 5C >> 63 0B >> D2 C5 C8 20 D6 >> *Mar 1 05:56:30.979: RADIUS: User-Name [1] 10 "client-1" >> *Mar 1 05:56:30.979: RADIUS: Framed-MTU [12] 6 1400 >> >> >> *Mar 1 05:56:30.980: RADIUS: Called-Station-Id [30] 16 >> "001d.a2ca.09c1" >> *Mar 1 05:56:30.980: RADIUS: Calling-Station-Id [31] 16 >> "6c88.1424.6404" >> *Mar 1 05:56:30.980: RADIUS: Service-Type [6] 6 Login >> >> [1] >> *Mar 1 05:56:30.980: RADIUS: Message-Authenticato[80] 18 >> *Mar 1 05:56:30.980: RADIUS: 5F 89 BB A6 02 72 B2 39 BC CB 43 11 C1 FC >> 15 A1 >> [_????r?9??C?????] >> *Mar 1 05:56:30.980: RADIUS: EAP-Message [79] 15 >> *Mar 1 05:56:30.981: RADIUS: 02 01 00 0D 01 63 6C 69 65 6E 74 2D 31 >> >> [?????client-1] >> *Mar 1 05:56:30.981: RADIUS: NAS-Port-Type [61] 6 802.11 >> wireless >> [19] >> *Mar 1 05:56:30.981: RADIUS: NAS-Port [5] 6 1531 >> >> >> *Mar 1 05:56:30.981: RADIUS: NAS-Port-Id [87] 6 "1531" >> *Mar 1 05:56:30.981: RADIUS: NAS-IP-Address [4] 6 >> 172.24.223.99 >> >> *Mar 1 05:56:31.048: RADIUS: Received from id 1645/77 >> 172.24.223.105:1812, Acce >> ss-Challenge, len 85 >> *Mar 1 05:56:31.049: RADIUS: authenticator 3E F1 2E 58 88 E4 78 6A - F4 >> 0C FC >> 6E C9 AB C0 25 >> *Mar 1 05:56:31.049: RADIUS: State [24] 39 >> *Mar 1 05:56:31.049: RADIUS: 33 34 53 65 73 73 69 6F 6E 49 44 3D 74 72 >> 69 61 >> [34SessionID=tria] >> *Mar 1 05:56:31.049: RADIUS: 6C 61 63 73 2D 31 2F 31 36 32 33 32 34 32 >> 38 31 >> [lacs-1/162324281] >> *Mar 1 05:56:31.049: RADIUS: 2F 38 34 31 3B >> >> [/841;] >> *Mar 1 05:56:31.050: RADIUS: EAP-Message [79] 8 >> *Mar 1 05:56:31.050: RADIUS: 01 95 00 06 0D 20 >> >> pe = DOT11 >> *Mar 1 05:56:31.058: RADIUS: AAA Unsupported Attr: ssid >> [265] 6 >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
