AP1200 and vlan assignment via radius...

Discussion in 'Cisco' started by Achim 'ahzf' Friedland, Feb 22, 2006.

  1. hello,


    I have some trouble after assigning another vlan to an user via radius.
    First I do normal radius authentication and within the Access-Accept
    reply I send the following back (freeradius):

    ahzf Auth-Type := Local, User-Password == "xxx"
    User-Name = "ahzf-acct",
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-Id = WLAN-hk

    As far as I can see I get connected to the AP and ethernet packets
    coming from wlan will reach the normal network. But the other way
    doesn't seem to work at all. No packets coming from the normal network
    reaches the wlan client...

    What's wrong here? Even after looking at debug messages for a while I
    didn't find a solution...

    Firmware version: c1200-k9w7-tar.123-7.JA2


    thx...
    achim




    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname ahzfnet2
    !
    enable secret 5 $1$E/ZR$0x4eJ1ryFl1NHAEublInd1
    !
    clock timezone MEZ 1
    clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip subnet-zero
    ip domain name wlan.ahzf.de
    ip name-server 10.42.44.22
    ip name-server 141.24.44.121
    !
    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
    server 10.44.176.1 auth-port 1812 acct-port 1813
    !
    aaa group server radius rad_acct
    server 10.44.176.1 auth-port 1812 acct-port 1813
    !
    aaa authentication login eap_methods group rad_eap
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 mbssid
    dot11 vlan-name WLAN vlan 2000
    dot11 vlan-name WLAN-hk vlan 1000
    !
    dot11 ssid Holzklasse
    vlan 1000
    authentication open eap eap_methods
    authentication key-management wpa
    accounting acct_methods
    !
    dot11 ssid ahzfnet.1X
    vlan 2000
    authentication open eap eap_methods
    authentication key-management wpa
    accounting acct_methods
    mbssid guest-mode
    !
    dot11 aaa csid ietf
    !
    !
    username Cisco password 7 106D000A0618
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption vlan 2000 mode ciphers aes-ccm tkip
    !
    encryption vlan 1000 mode ciphers aes-ccm tkip
    !
    ssid Holzklasse
    !
    ssid ahzfnet.1X
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    dot11 extension power native
    bridge-group 1
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface Dot11Radio0.1000
    encapsulation dot1Q 1000
    no ip route-cache
    bridge-group 100
    bridge-group 100 subscriber-loop-control
    bridge-group 100 block-unknown-source
    no bridge-group 100 source-learning
    no bridge-group 100 unicast-flooding
    bridge-group 100 spanning-disabled
    !
    interface Dot11Radio0.2000
    encapsulation dot1Q 2000
    no ip route-cache
    bridge-group 255
    bridge-group 255 subscriber-loop-control
    bridge-group 255 block-unknown-source
    no bridge-group 255 source-learning
    no bridge-group 255 unicast-flooding
    bridge-group 255 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0.1000
    encapsulation dot1Q 1000
    no ip route-cache
    bridge-group 100
    no bridge-group 100 source-learning
    bridge-group 100 spanning-disabled
    !
    interface FastEthernet0.2000
    encapsulation dot1Q 2000
    no ip route-cache
    bridge-group 255
    no bridge-group 255 source-learning
    bridge-group 255 spanning-disabled
    !
    interface BVI1
    ip address 10.44.176.2 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 10.44.176.1
    no ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    !
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 10.44.176.1 auth-port 1812 acct-port 1813 key 7 0835495D1D100B1043595F
    radius-server vsa send accounting
    radius-server vsa send authentication
    !
    control-plane
    !
    bridge 1 route ip
    !
    !
    wlccp wds aaa csid ietf
    !
    line con 0
    transport preferred all
    transport output all
    line vty 0 4
    transport preferred all
    transport input all
    transport output all
    line vty 5 15
    transport preferred all
    transport input all
    transport output all
    !
    sntp server 141.24.44.123
    end
     
    Achim 'ahzf' Friedland, Feb 22, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. brent
    Replies:
    4
    Views:
    19,653
    jmarkotic
    Oct 22, 2003
  2. S. Einarsson

    VLAN assignment on 2950

    S. Einarsson, Jan 31, 2005, in forum: Cisco
    Replies:
    5
    Views:
    7,212
    stansio83
    Apr 13, 2014
  3. psychogenic

    dynamic vlan assignment besides vmps

    psychogenic, Apr 20, 2006, in forum: Cisco
    Replies:
    9
    Views:
    6,102
    C Kim
    Apr 20, 2006
  4. Chino
    Replies:
    1
    Views:
    536
    Twpsyn
    Jan 29, 2007
  5. Hostserve

    Vlan Assignment... Help..??

    Hostserve, Oct 16, 2007, in forum: Cisco
    Replies:
    0
    Views:
    494
    Hostserve
    Oct 16, 2007
Loading...

Share This Page