I don't believe the user-based VLAN assignment from FreeRadius will work with an access point in FlexConnect mode. I know it will work in local mode, but that's not the functionality that you want. We were investigating this some time ago in WLC 7.2 code, but scrapped it when we moved L3 routing to the building, so we're drinking the "converged access" kool-aid in most places. That is, flat network per building wired & wireless regardless of student or faculty/staff affiliation.
The configuration may be a bit different now with 7.6, I honestly haven't touched it in a long time. I was pulling my hair out though trying to get it to work by creating the vlan interfaces on the controller, and trunking vlans to the AP to make it all work. The AP has to have the VLAN trunked to it, and the controller has to have an interface for it to process the authentication and understand the RADIUS response. Just adding my 2¢, but is probably worth less ;) --Britton Britton Anderson <blanders...@alaska.edu> | Senior Network Communications Specialist | University of Alaska <http://www.alaska.edu/oit> | 907.450.8250 On Wed, Oct 22, 2014 at 1:49 PM, Bruce Curtis <bruce.cur...@ndsu.edu> wrote: > We have used Flexconnect in the Residence Halls here at NDSU for many > years (even when Flexconnect was called HREAP). > > But the APs in our non Residence Hall buildings use the central model > and send traffic back to the controller. > > We also use WPA2 and FreeRadius. I have experimented with putting a > machine in a different Vlan based on RADIUS, but only on APs that were > configured to send all traffic back to the central controller. > > For the non Residence Hall buildings we use Interface Groups to shrink > the size or the wireless subnets. > > Originally in order to use the same SSID name we had separate > controllers for Residence Halls and the main campus buildings. Now we have > two “WLAN ID”s that have the same SSID. We set the APs to only one of the > “WLAN ID”s with the duplicate SSID names. The controller is a bit touch > about it but it has worked so far. > > This doesn’t answer your question but I can say that the method outlined > above works (and for IPv6 since 2008 also). > > On Oct 22, 2014, at 4:25 PM, Watters, John <john.watt...@ua.edu> wrote: > > > > > We are a Cisco shop using WiSM2 controllers (7.6.130.0) and a variety of > AP models from 1131s up to 2702s. We are very interested in using > FlexConnect to drop our users into an appropriate VLAN in the building that > they are in. This solves several problems for us including huge IP subnets > for wireless users and allowing wireless users easy access assets on their > local building subnet (e.g., AppleTV, ChromeCast, printers) - basically > making a building look like home to them. > > > > All of our users use a WPA2 Enterprise SSID. And, we can easily make > Radius (FreeRadius right now) return an appropriate VLAN upon > authentication based on their status (faculty/staff, student, or special > case) and their location (the AP name contains a building abbreviation as > its first part that is easily parsed). We are not worried about roaming. > Our students are used to re-associating and re-authenticating when they > roam around town or through various apartment complexes. We have had > roaming disabled for about 6 months now without a single complaint. We do > not have any WiFi phones now nor does our campus design really consider > this right now (a shortcoming for our next big project, I'm sure). We would > like for normal faculty/staff and student traffic to be dropped in the > appropriate VLAN (i.e., locally switched) while special cases which return > a VLAN from radius that is not local to their building need to be centrally > switched. Initial testing has had mixed results. Switching a machine from > one UserID to another (and thus getting differing VLANs) seems to confuse > the controllers. They seem to think the MAC, and thus the user, has already > been authenticated and the controller wants to keep the same IP address/net > mask/gateway/VLAN as was originally assigned. This makes things easy & > quicker for the controller but leaves the user in a state where his device > is inoperable. This doesn’t bother me too much. But, the same thing happens > when a user moves to an adjacent building (if the APs are on the same > controller) where the originally assigned address info is not appropriate > any longer and the controller really needs to re-authenticate the user to > get new address info. > > > > we have looked extensively for documentation on FlexConnect in a campus > environment rather than the intended remote office environment but without > any luck so far. Our local Cisco tech has been very helpful, but we still > haven't gotten past all the hurdles. > > > > Current environment size is slightly over 200 buildings with just under > 5,000 APs and just over 33,000 concurrent users at peak times. > > > > Is anyone out there using FlexConnect in a similar manner? Do you have > any decent documentation that you can point me to? Or, do you have any > advice to offer ("don't even try to do this" is an acceptable response)? > > > > > > > > Thanks. > > > > > > > > > > -jcw > <image003.jpg> > > > > John Watters The University of Alabama > > Office of Information > Technology > > 205-348-3992 > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found athttp:// > www.educause.edu/groups/. > > --- > Bruce Curtis bruce.cur...@ndsu.edu > Certified NetAnalyst II 701-231-8527 > North Dakota State University > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
