Prasanna,
You're trying to assign VLANs from RADIUS with aIOS, with MBSSID turned
on? This is not supported (and won't work.) Need to disable MBSSID.
Aaron
----
On 7/7/2013 9:00 AM, [email protected]
([email protected]) wrote:
Send CCIE_Wireless mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of CCIE_Wireless digest..."
Today's Topics:
1. Re: Issue with Static VLAN assignment on Autonomous AP using
ACS (Prasanna Yabaluri)
----------------------------------------------------------------------
Message: 1
Date: Sat, 6 Jul 2013 14:56:07 -0400
From: Prasanna Yabaluri <[email protected]>
To: Jeff Rensink <[email protected]>
Cc: "[email protected]"
<[email protected]>
Subject: Re: [OSL | CCIE_Wireless] Issue with Static VLAN assignment
on Autonomous AP using ACS
Message-ID:
<CABwL-UNd_QXLOAri37H27=J5m9w=d7_bwwcy6tpezpz9n8s...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Jeff, Thanks for the response!
I made below changes and VLAN over ride works for SSID "mypsk2" with a
caveat. As long as I am not touching the native VLAN (bridge mgmt), VLAN
override works.
Example...
VLAN 224 is native, V596 is configured on SSID "mypsk2". V698 is the ACS
override.
ACS is set to push V596 for client-1, V698 for client-2 , VLAN 224 for
client-3
Client-3 does not work. ACS logs shows..client-3 is successfully connected
and VLAN224 authorization profile is used. On the bridge show dot11
association shows the client on v596(???) with Auth failure.
Simple SSID (mypsk) with V224 does not even work. To troubleshoot the V224,
i did swap VLAN# and always the native VLAN is not happy to be shared with
Wi-Fi clients.
*****************
dot11 ssid mypsk
vlan 224
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 121A0C0411045D5679
!
dot11 ssid mypsk2
vlan 596
authentication open eap eap_methods
authentication key-management wpa version 2
mbssid guest-mode
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 224 mode ciphers aes-ccm
!
encryption vlan 698 mode ciphers aes-ccm
!
encryption mode ciphers aes-ccm
!
encryption vlan 596 mode ciphers aes-ccm
!
ssid mypsk
!
ssid mypsk2
!
station-role root
!
interface Dot11Radio0.224
encapsulation dot1Q 224 native
no ip route-cache
bridge-group 1
interface Dot11Radio0.596
encapsulation dot1Q 596
no ip route-cache
bridge-group 3
interface Dot11Radio0.698
encapsulation dot1Q 698
no ip route-cache
bridge-group 2
ap02#sh dot11 associations 6c88.1424.6404
Address : 6c88.1424.6404 Name : dwrc-wgb-ap02
IP Address : 0.0.0.0 Interface : Dot11Radio 0
Device : ccx-client Software Version : NONE
CCX Version : 4 Client MFP : Off
State : AAA_Auth Parent : self
SSID : mypsk2
VLAN : 596
Hops to Infra : 1 Association Id : 2
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : WPAv2 Encryption : AES-CCMP
Current Rate : 54.0 Capability : WMM ShortHdr
ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled Bandwidth : 20 MHz
Signal Strength : -24 dBm Connected for : 0 seconds
Signal to Noise : 68 dB Activity Timeout : 20 seconds
Power-save : Off Last Activity : 0 seconds ago
Apsd DE AC(s) : NONE
Packets Input : 27 Packets Output : 27
Bytes Input : 3119 Bytes Output : 3846
Duplicates Rcvd : 0 Data Retries : 3
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
*************************
On Fri, Jul 5, 2013 at 10:02 AM, Jeff Rensink <[email protected]> wrote:
What does the authorization profile look like on the ACS server for the
VLAN override?
Also, when the client has connected to mypsk2, what does the detailed
"show dot11 associations [mac address]" look like?
On Thu, Jul 4, 2013 at 4:02 PM, Prasanna Yabaluri <[email protected]>wrote:
Task: Assign different Static VLAN id's through ACS based on user. If
Client-1 connects assign VLAN 224 and if client-2 connects assign VLAn698.
First two ssid's were configured for each VLAN. mypsk(WPA2/PSK) for
VLAN224 and mypsk2(WPA2 Enterprise) for VLAN698. They work fine when
client-1 is connected to mypsk2.
When ACS is modified with Static VLAN config there is an issue when
client-1 connects as he does not get IP address for VLAN224. ACS shows
succeeded and relevant Authorization profile is touched and VLAn attribute
is shown.
debug radius command on ACS shows AAA unsupported Attr. ssid and AAA
unsupported Attr: interface.
*************Bridge config**********
aaa new-model
!
!
aaa authentication login eap_methods group radius
radius-server host 172.24.223.105 auth-port 1812 acct-port 1812 key 7
070C285F4D 06485744
aaa authorization network default group radius
dot11 mbssid
dot11 ssid mypsk
vlan 224
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 121A0C0411045D5679
!
dot11 ssid mypsk2
vlan 698
authentication open eap eap_methods
authentication key-management wpa
mbssid guest-mode
interface Dot11Radio0
!
encryption mode ciphers aes-ccm
!
encryption vlan 224 mode ciphers aes-ccm
!
encryption vlan 698 mode ciphers aes-ccm
!
ssid mypsk
!
ssid mypsk2
!
station-role root
!
interface Dot11Radio0.224
encapsulation dot1Q 224 native
bridge-group 1
!
interface Dot11Radio0.698
encapsulation dot1Q 698
bridge-group 2
!
interface FastEthernet0
interface FastEthernet0.224
encapsulation dot1Q 224 native
bridge-group 1
!
interface FastEthernet0.698
encapsulation dot1Q 698
bridge-group 2
*********************************END Bridge Config*********************
*****************************************bridge debug error***************
*Mar 1 05:56:30.977: RADIUS/ENCODE(00000500):Orig. component type = DOT11
*Mar 1 05:56:30.977: RADIUS: AAA Unsupported Attr: ssid
[265] 6
*Mar 1 05:56:30.978: RADIUS: 6D 79 70 73
[myps]
*Mar 1 05:56:30.978: RADIUS: AAA Unsupported Attr: interface
[157] 4
*Mar 1 05:56:30.978: RADIUS: 31 35
[15]
*Mar 1 05:56:30.978: RADIUS(00000500): Config NAS IP: 0.0.0.0
*Mar 1 05:56:30.978: RADIUS/ENCODE(00000500): acct_session_id: 1280
*Mar 1 05:56:30.978: RADIUS(00000500): sending
*Mar 1 05:56:30.979: RADIUS/ENCODE: Best Local IP-Address 172.24.223.99
for Rad
ius-Server 172.24.223.105
*Mar 1 05:56:30.979: RADIUS(00000500): Send Access-Request to
172.24.223.105:18
12 id 1645/77, len 131
*Mar 1 05:56:30.979: RADIUS: authenticator 34 73 0A E2 77 D8 67 A7 - 5C
63 0B
D2 C5 C8 20 D6
*Mar 1 05:56:30.979: RADIUS: User-Name [1] 10 "client-1"
*Mar 1 05:56:30.979: RADIUS: Framed-MTU [12] 6 1400
*Mar 1 05:56:30.980: RADIUS: Called-Station-Id [30] 16
"001d.a2ca.09c1"
*Mar 1 05:56:30.980: RADIUS: Calling-Station-Id [31] 16
"6c88.1424.6404"
*Mar 1 05:56:30.980: RADIUS: Service-Type [6] 6 Login
[1]
*Mar 1 05:56:30.980: RADIUS: Message-Authenticato[80] 18
*Mar 1 05:56:30.980: RADIUS: 5F 89 BB A6 02 72 B2 39 BC CB 43 11 C1 FC
15 A1
[_????r?9??C?????]
*Mar 1 05:56:30.980: RADIUS: EAP-Message [79] 15
*Mar 1 05:56:30.981: RADIUS: 02 01 00 0D 01 63 6C 69 65 6E 74 2D 31
[?????client-1]
*Mar 1 05:56:30.981: RADIUS: NAS-Port-Type [61] 6 802.11
wireless
[19]
*Mar 1 05:56:30.981: RADIUS: NAS-Port [5] 6 1531
*Mar 1 05:56:30.981: RADIUS: NAS-Port-Id [87] 6 "1531"
*Mar 1 05:56:30.981: RADIUS: NAS-IP-Address [4] 6
172.24.223.99
*Mar 1 05:56:31.048: RADIUS: Received from id 1645/77
172.24.223.105:1812, Acce
ss-Challenge, len 85
*Mar 1 05:56:31.049: RADIUS: authenticator 3E F1 2E 58 88 E4 78 6A - F4
0C FC
6E C9 AB C0 25
*Mar 1 05:56:31.049: RADIUS: State [24] 39
*Mar 1 05:56:31.049: RADIUS: 33 34 53 65 73 73 69 6F 6E 49 44 3D 74 72
69 61
[34SessionID=tria]
*Mar 1 05:56:31.049: RADIUS: 6C 61 63 73 2D 31 2F 31 36 32 33 32 34 32
38 31
[lacs-1/162324281]
*Mar 1 05:56:31.049: RADIUS: 2F 38 34 31 3B
[/841;]
*Mar 1 05:56:31.050: RADIUS: EAP-Message [79] 8
*Mar 1 05:56:31.050: RADIUS: 01 95 00 06 0D 20
pe = DOT11
*Mar 1 05:56:31.058: RADIUS: AAA Unsupported Attr: ssid
[265] 6
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
</archives/ccie_wireless/attachments/20130706/839afafe/attachment-0001.html>
------------------------------
_______________________________________________
CCIE_Wireless mailing list
[email protected]
http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless
End of CCIE_Wireless Digest, Vol 51, Issue 2
********************************************
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
