I don't believe the user-based VLAN assignment from FreeRadius will work
with an access point in FlexConnect mode. I know it will work in local
mode, but that's not the functionality that you want. We were investigating
this some time ago in WLC 7.2 code, but scrapped it when we moved L3
routing to the building, so we're drinking the converged access kool-aid
in most places. That is, flat network per building wired wireless
regardless of student or faculty/staff affiliation.
The configuration may be a bit different now with 7.6, I honestly haven't
touched it in a long time. I was pulling my hair out though trying to get
it to work by creating the vlan interfaces on the controller, and trunking
vlans to the AP to make it all work. The AP has to have the VLAN trunked to
it, and the controller has to have an interface for it to process the
authentication and understand the RADIUS response.
Just adding my 2¢, but is probably worth less ;)
--Britton
Britton Anderson blanders...@alaska.edu | Senior Network Communications
Specialist | University of Alaska http://www.alaska.edu/oit | 907.450.8250
On Wed, Oct 22, 2014 at 1:49 PM, Bruce Curtis bruce.cur...@ndsu.edu wrote:
We have used Flexconnect in the Residence Halls here at NDSU for many
years (even when Flexconnect was called HREAP).
But the APs in our non Residence Hall buildings use the central model
and send traffic back to the controller.
We also use WPA2 and FreeRadius. I have experimented with putting a
machine in a different Vlan based on RADIUS, but only on APs that were
configured to send all traffic back to the central controller.
For the non Residence Hall buildings we use Interface Groups to shrink
the size or the wireless subnets.
Originally in order to use the same SSID name we had separate
controllers for Residence Halls and the main campus buildings. Now we have
two “WLAN ID”s that have the same SSID. We set the APs to only one of the
“WLAN ID”s with the duplicate SSID names. The controller is a bit touch
about it but it has worked so far.
This doesn’t answer your question but I can say that the method outlined
above works (and for IPv6 since 2008 also).
On Oct 22, 2014, at 4:25 PM, Watters, John john.watt...@ua.edu wrote:
We are a Cisco shop using WiSM2 controllers (7.6.130.0) and a variety of
AP models from 1131s up to 2702s. We are very interested in using
FlexConnect to drop our users into an appropriate VLAN in the building that
they are in. This solves several problems for us including huge IP subnets
for wireless users and allowing wireless users easy access assets on their
local building subnet (e.g., AppleTV, ChromeCast, printers) - basically
making a building look like home to them.
All of our users use a WPA2 Enterprise SSID. And, we can easily make
Radius (FreeRadius right now) return an appropriate VLAN upon
authentication based on their status (faculty/staff, student, or special
case) and their location (the AP name contains a building abbreviation as
its first part that is easily parsed). We are not worried about roaming.
Our students are used to re-associating and re-authenticating when they
roam around town or through various apartment complexes. We have had
roaming disabled for about 6 months now without a single complaint. We do
not have any WiFi phones now nor does our campus design really consider
this right now (a shortcoming for our next big project, I'm sure). We would
like for normal faculty/staff and student traffic to be dropped in the
appropriate VLAN (i.e., locally switched) while special cases which return
a VLAN from radius that is not local to their building need to be centrally
switched. Initial testing has had mixed results. Switching a machine from
one UserID to another (and thus getting differing VLANs) seems to confuse
the controllers. They seem to think the MAC, and thus the user, has already
been authenticated and the controller wants to keep the same IP address/net
mask/gateway/VLAN as was originally assigned. This makes things easy
quicker for the controller but leaves the user in a state where his device
is inoperable. This doesn’t bother me too much. But, the same thing happens
when a user moves to an adjacent building (if the APs are on the same
controller) where the originally assigned address info is not appropriate
any longer and the controller really needs to re-authenticate the user to
get new address info.
we have looked extensively for documentation on FlexConnect in a campus
environment rather than the intended remote office environment but without
any luck so far. Our local Cisco tech has been very helpful, but we still
haven't gotten past all the hurdles.
Current environment size is slightly over 200 buildings with just under
5,000 APs and just over 33,000 concurrent users at peak times.
Is anyone out there using FlexConnect in a similar manner? Do you have
any decent documentation that you