Cisco :: Dynamic Vlan Assignment With 1242AG And IAS Not Working
Dec 13, 2012
I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. IAS and AD is running on Windows Server 2003.Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately,[code] I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.
When the users connect their laptop they are getting a authentication prompt but the switch is not changing the VLANs on the port after successful authentication.Below are the logs on the switch
Jan 28 2013 17:21:32.417 CST: RADIUS: Framed-MTU [12] 6 1500 Jan 28 2013 17:21:32.417 CST: RADIUS: Called-Station-Id [30] 19 "E4-D3-F1-0B-C6-0A" Jan 28 2013 17:21:32.417 CST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-A8-BD-1D" Jan 28 2013 17:21:32.417 CST: RADIUS: EAP-Message [79] 45
I have just upgraded our WLC from 4.0 to 7.0 (via 4.2). Before the upgrade we had our ACS returning a VLAN based on user group. This seemed to be working without an issue. Now that the WLC is on version 7 this is no longer working correctly. The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
Example configuration:
SSID-----VLAN
PN-CSC-----CSCVlan: Works PN-Others------OthersVlan: Works
PN-Others-----CSCVlan: No DHCP
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?
Does the WAP4410N support Dynamic VLAN assignment by means of 802.1x authentication?
The reason why I ask this; I am able to configure a SSID on a WAP4410N with WPA2-Enterprise, in combination with 802.1x PEAP network authentication. I can succesfully connect Windows, Windows RT, Windows Phone, iOS and Android devices. But.. I am unable to designate them to another VLAN based on access/connection policies. For example; I want mobile devices such as iPhone and Windows Phone to be assigned to a specific VLAN. The Wireless Access Point (authenticator) must be able to support that.
This is my setup:
Spplicants: Windows 8 / iPad / ... Authenticator: WAP4410N Authentication Server: Microsoft NPS (Network Policy Server)
I used 802.1x PEAP (Protected EAP) with password (domain user) authentication. In fact, the suplicants communicate with 802.1x to the authenticator. The authenticator communicates with RADIUS to the authentication server. NAP is not in between. It's just plain 802.1x authentication.
I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right? Doesn't this limitation significantly reduce the usefulness of the DVA feature?
I`m working on Dynamic Vlan Assigmenton the basis of end user authenticatedwhoc are part of specific AD Group in c ampus enviorment.Objective: Need to assign the vlan on switch port on the basis of authenticated users OU Group in Active Directory. Eg: There are 2 OU groups in AD, Sales and Administration. Authenticated user in Sales group should get Vlan 10 and user in Admininstration Group shoudl get Vlan 20.
Components:
Cisco 3750x/Cisco 4500 ACS Version 5.2 Microsoft AD
I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:Connect the phone and let it boot up(takes a while) and authenticate with MAB.Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan) However, the following scenario doesn't work:The computer is already connected to the phoneThe phone is then connected to the switch What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.why the first scenario works, and not the second?
The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config: network-policy profile 1voice vlan 90!interface GigabitEthernet0/12switchport mode accessnetwork-policy 1authentication control-direction inauthentication event fail retry 1 action authorize vlan 60authentication event server dead action authorize vlan 60authentication event no-response action authorize vlan 60authentication event server alive action reinitializeauthentication host-mode multi-domainauthentication order mab dot1xauthentication priority mab dot1xauthentication port-control autoauthentication periodicauthentication violation replacemabdot1x pae authenticatordot1x timeout tx-period 5dot1x max-reauth-req 1spanning-tree portfast!Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).
I have Remote Access VPN users (IPsec) who are terminated on Cisco ASA 5520 (v8.2). For those users, AAA is done on the ACS. Group-policies and tunnel groups are defined on ASA. Initialy I had all VPN users defined on ASA and group policies were associated with each user. Each group policy had it’s own IP pool for users. Now, I moved users to ACS. How can I associate group policy, defined on ASA, with users group defined on ACS? Is it possible that ACS send to ASA information about IP pool for different group policy? Users will use ONE vpn profile BUT based on the Active Directory group they belong to they obtain a different IP address for each group.Can it be done ? ACS version is 5.2.
The Wireless_Employees authorization profile,assign vlan 666 for wireless employees.ISE is passing VLAN 666 to the WLC - see attachement Radius Auth-VLAN666.jpg then I look on the WLC at a wireless employee who has successuflly connected to the network, WLC is still placing him in the pre-configured VLAN 7.
1. can VLAN be pushed from ISE to the WLC (code 7.2.103) for specific user session?
I was wondering if it is possible to do dynamic VLAN assignment on the Cisco Wireless Controller 5508 without using Cisco ACS but use Microsoft NPS server instead?
I am configuring 802.1X in a 3560 Switch, my Radius server is a Microsoft IAS, when I connect a station of a guest user, the guest-vlan is not assigned in the port, and I have these logs:
May 8 21:23:02: dot1x-ev:Received an EAP Timeout on FastEthernet0/8 for mac 0000.0000.0000 May 8 21:23:02: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not
I have two buildings that I'm trying to configure a bridge in between them using 2 1242AG APs.
Building A PCOFFICE SSID on VLAN 200 Radio G ROOT_1 SSID on Native VLAN 1 Radio A Root Bridge
Building B FDAPC SSID on Native VLAN 1 Radio G ROOT_1 SSID on Native VLAN 1 Radio A
We are using directional antenna. I know they are lined up properly because I have them both down and in front of me. I'm getting an error on the Building B AP that says " No SSID with VLAN configured. Dot11Radio1 not started." and I'm unable to get this to work. The bridge was working before I added the VLAN and encryption/WPA information for the PCOFFICE and FDAPC SSIDs
I have some 1130AG access point and I'd like to have :
- Multiple broadcasted SSIDs (because most of my clients are OSX and OSX doesn't deal with hidden SSID at all ! the clients have to enter the data each time which for WPA2 enterprise is really annoying) - Dynamic VLAN assignement (so my clients don't have to know to which VLAN they belong and so I can easily change them from one to another).
As it turns out, it's apparently not supported to have both. But I can't understand WHY ? What exactly is the relation between those features ? What's the underlying technical constraint ?
I can understand the cipher suite must match between all the dynamic vlan because of the way wlan works, but for this, I really don't see what the problem is ... (Especially since I only have one of the SSID that needs dynamic assignement, the other is really the 'guest' one).
I am using several SG300-28 Switches with firmware version 1.1.2.0.I have dynamic VLAN enabled. As RADIUS server I am using free radius 2.1.12.Authentication is only based on the MAC address. (I configured that on the switches)On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches). I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on free radius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the free radius log then this MAC address was successfully authorized.
The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN. If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP. This is happening randomly on nearly all my PCs.
Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
I have enabled IP DHCP snooping on a 24 port 3560 switch (v small office) and let the database fill up, now I have added dynamic arp inspection on the single vlan and I amd getting these errors.
I've got a new 891 to replace an old 837 and I'm struggling to get the dynamic nat pool working.I've successfully configured the dialer etc for PPPoE and when I set up a static NAT translation between my PC and an external address then I can ping hosts on the internet e.g. ping 8.8.8.8 successfully. But when I remove the static translation and try and use the dynamic NAT pool then no NAT translations take place, and show ip nat translations only shows the other static entries.The relevant bits of the config are below and I've also attached a full (cleaned) config.
ip nat pool TestPool 81.2.123.226 81.2.123.226 netmask 255.255.255.248 ip nat inside source list 15 pool TestPool overload ! Can only access internet when static route is defined for my PC ! If I remove this line then it doesn't use the dymnamic pool TestPool ip nat inside source static 172.16.0.11 81.2.123.226
We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
can it possible and create dynamic VLAN for specific group of users.
Region : Portugal Model : TL-MR3220 Hardware Version : V2 Firmware Version : TL-MR3220_V2_121126_UK ISP : OPTIMUS (26803)
I buy a Router TL-MR3220 and Forwarding e Dynamic DNS not work. I installed the latest firmware version (TL-MR3220_V2_121126_UK) and does not work well.
I am into creating a new VLAN, what I have missed in the setup / configuration. I have multiple Cisco switches, the VLAN is configured on a 3750. My attempt was to place the VLAN on one port (as concept) and work from there - - so it is on 2-02 of my main Cisco stack. The new VLAN is 220 - Printer. My present IP scope is 192.168.200.x - running out of addresses - trying to add 192.168.220.x. on VLAN 220 to relieve some pressure - -- Most I can do is ping the VLAN IP - 192.168.220.1 and that resolves - - but if I attach a networked device with a 192.168.220.x address - - cannot get there..
Here is the switch info...
version 12.2 parser config cache interface no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime service timestamps log datetime localtime service password-encryption
I've got a cluster of two WAP321, firmware 1.0.2.3if have been trying for hours to get up my captive portal running. finally I arrived - I switched from vlan 4001 to vlan 1 for my network using the cp login-page and success, opening my browser, using any url, the login page of my portal appears.Well portal is working, but I do have to change my vlan id to any other than the default management network! what do I have to configure?
I need to connect two switches with each have different Vlans and wants to Connect the users of These Switches to Existing Network of Company(Vlan 1 ; showing Right in the picture).
I have created Vlans and able to route packets from Two Vlans (10,20) to VLAN 1 but i am unable to get access to Users existing in vlan 10,20.
Internet is working fine from VLAN1 and existing network did not have any router ,it is just a DSL modem and did not have Static /Default Route option,NAT.
What Option should i choose for it. 3750x have 12 Mini Gbic Slots and 1 Routed port and did not have any NAT options in it.
In the settings, there is a spot in which you can set the range of IPs to assign to connected computers and other devices. This particular option is available under the "LAN" options. What I am seeing is that the only IP that is assigned within the range is the one and only device hardwired to the router. Everything else is being assigned IP addresses outside of the range. Am I missing something? I was under the assumption that any IP addresses assigned dynamically would be within the range whether they were wired or wireless
Short version is we cannot communicate between our subnets.We have a Cisco ASA 5505 we are using for our network router. We have a Netgear L3 switch behind that with 10 vlans. Each VLAN is on its own subnet. (10.0.10.x/24, 10.0.11.x/24, etc)We have PAT for each subnet to our outside interface. Each subnet NATs out properly currently.I have NAT exemption enabled for 2 of the subnets (eventually I will need all, but am just testing at the moment). I have tried multiple ways for the NAT exemption to allow all traffic from our inside VLANS. At this point in time I am trying to get "Engineering" to communicate with all hosts on "AuthUser". I can ping some hosts, but not as many as if I am directly on the interface. I can reach a port 80 service, but not 443. I cannot access anything via hostname or NetBIOS.What am I missing to allow higher security level interfaces to fully communicate with lower security level interfaces?
We recently purchsed a SG200-26 and have several SPA303 with the 2 ports. The other component is a Sonicwall NSA3500.The SG200-26 is on an interface of the Sonicwall that interface has a primary of 172.20.3.x and the sub interface is 172.20.5.x. I labed the VLAN as 5?I went to the "Create VLAN" in the SG200-26 and also created VLAN 5 and under Voice VLAN the ID is 5.Then I went to the SmartPort and assigned GE24 as IP Phone + Desktop. That was OK. But when I go to the SPA303 and Enable VLAN and VLAN ID 5 I get Initializing Network. I am able to ping the 172.20.5.1 which is the gateway for the VLAN but still pull no IP. I also have an DHCP range assinged the subinterface.I also am using Cisco Configuration Assistant. I can see the switch SG200-26 and my IP set but it shows no IP. So I know that the CDP from the phone to the switch is working.
I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).I had the following setup working without issue:
[Internet] <-----> PIX <-----> 1841 <-----> [LAN]
I then tried to introduce VLANs and now I can not reach the Internet from the LAN. It seems that no nat translations are taking place.
-I can successfully ping the LAN from the PIX. -I can successfully ping the Internet from the PIX. -I can successfully ping the PIX inside_lan interface from the router -I can not ping the outside interface from the router -I can not ping the Internet from the router
I introduced the LAN side VLAN first and everything still worked. However, once i introduced the VLAN between the router and PIX, things have broken down. [code]
Extended IP access list VLAN20 10 permit tcp any any established 11 permit icmp any any 20 permit tcp any 192.168.20.0 0.0.0.255 eq 80 30 permit tcp any 192.168.20.0 0.0.0.255 eq 443 40 deny ip any any log
[code].....
Above is the network diagram and access list for VLAN 20 and VLAN 30, applied on incoming direction of each valn.But still able to access other port which is not on access list, tried changing the direction with no luck.Inter vlan routing is enabled on CoreSwitch default router is 192.168.10.10
Local DHCP (via the 5508) is for the guest network while the management and voice use the Windows DHCP server.
My problem, Voice and guest work fine. I have two SSID's (one 802.1X and the other PSK) that use the management interface that will not get an IP. I have enabled dhcp proxy from the cli on the controller. I tried with the management VLAN tagged and untagged.
I possess a RV220W (firmware 1.0.3.5) but I can't seem to work with the PPTP server on one VLAN only.
My default VLAN is in 192.168.1.1/24. I created a VLAN ID 10 in 192.168.50.1/24 inter-vlan routing : disabled and Device Management : disabled. (Menu Networking > LAN > VLAN Membership and Multiple VLAN Subnets).
Then I configured a PPTP server on the IP range 192.168.50.200 to 192.168.50.210.
To finish I created my user. (Menu VPN > IPSEC > VPN Users).
The PPTP tunnel is working, but on all my local network and not only the VLAN ID 10.
is it possible to use the asa dhcp server function to assign based on mac address (yet)? I have read numerous places that it was not possible (as of 8.2) at least, but I am workin in 8.4. I should have mentioned that I've already tried commands (asa 5510 btw)
I have gotten the assignment of constructing a fictional network for my school.. and i cannot quite agree with myself upon which equipment i should choose.. its supposed to be all cisco. i need to supply 5000 users all in all, but only 300 on this site. i need to know which connections would be the most reasonable to use and of course which routers "if any" and switches i need.. (+ additional modules if needed) i have tried to make a visio representation, but i just think something is way off.
I'm having a strange issue with a Cisco 3845 ISR router. I am setting up basic ACL and NAT but 2 issues occur. When using pat (overload) and a static nat assignment on the same subnet, the host with the static assignment has no wan connectivity except for icmp. The host is not reachable via the wan and the static public ip. Running show ip nat translations show the correct inside local and inside global addresses. The other issue is when applying an extended ACL to the outside or WAN interface coming in. No host on the inside has connectivity (icmp, tcp etc.) even to the gateway. I've cleared out all the ACL's as well as the ipsec tunnel settings and created only the nat overload and a single static assignment with the same results.I'm posting the running config below.
version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec [Code]...
