Dynamic VLAN affectation + AP1100 + freeradius

Discussion in 'Cisco' started by caroline brunel, May 24, 2005.

  1. Hello,

    I'm trying to affect VLANs dynamically on the Cisco AP1100. The
    authentication works but the client always stays in the default vlan
    (vlan 4 for ssid guest2). 802.1x authentication with fixed vlan works
    (vlan 318 for ssid v318). Could someone help me please ?

    Many thanks by advance!

    Caroline.


    Radius config :
    ---------------
    test318 User-Password == "xxxxxxx"
    Tunnel-Medium-Type:1 = 6,
    Tunnel-Type:1 = 13,
    Tunnel-Private-Group-ID:1 = 318,
    Fall-Through = No

    AP1100 config :
    ---------------
    ap#sho runn
    Building configuration...

    Current configuration : 5326 bytes
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname ap
    !
    enable secret 5 xxxxxxx
    !
    ip subnet-zero
    ip name-server 192.168.16.35
    !
    !
    aaa new-model
    !
    !
    aaa authentication login default line
    aaa authentication login eap_methods group radius enable
    aaa authentication login mac_methods local
    aaa accounting network eap_methods start-stop group radius
    aaa session-id common
    !
    dot11 ssid guest2
    vlan 4
    authentication open optional eap eap_methods
    accounting eap_methods
    guest-mode
    !
    dot11 ssid inter-ap
    authentication open mac-address mac_methods
    !
    dot11 ssid v016
    vlan 16
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa optional
    !
    dot11 ssid v216
    vlan 216
    authentication open
    authentication key-management wpa optional
    infrastructure-ssid optional
    !
    dot11 ssid v218
    vlan 218
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa optional
    !
    dot11 ssid v318
    vlan 318
    authentication open eap eap_methods
    accounting eap_methods
    !
    !
    !
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption vlan 218 mode ciphers tkip wep128
    !
    encryption vlan 216 mode ciphers tkip wep128
    !
    encryption vlan 16 mode ciphers tkip wep128
    !
    ssid guest2
    !
    ssid inter-ap
    !
    ssid v016
    !
    ssid v216
    !
    ssid v218
    !
    ssid v318
    !
    short-slot-time
    speed basic-11.0 54.0
    rts threshold 2312
    power local cck 1
    power local ofdm 1
    channel 2457
    station-role root
    no dot11 extension aironet
    dot1x reauth-period server
    !
    interface Dot11Radio0.4
    encapsulation dot1Q 4
    no ip route-cache
    no cdp enable
    bridge-group 4
    bridge-group 4 subscriber-loop-control
    bridge-group 4 block-unknown-source
    no bridge-group 4 source-learning
    no bridge-group 4 unicast-flooding
    bridge-group 4 spanning-disabled
    !
    interface Dot11Radio0.16
    encapsulation dot1Q 16
    no ip route-cache
    bridge-group 16
    bridge-group 16 subscriber-loop-control
    bridge-group 16 block-unknown-source
    no bridge-group 16 source-learning
    no bridge-group 16 unicast-flooding
    bridge-group 16 spanning-disabled
    !
    interface Dot11Radio0.216
    encapsulation dot1Q 216 native
    no ip route-cache
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface Dot11Radio0.218
    encapsulation dot1Q 218
    no ip route-cache
    bridge-group 218
    bridge-group 218 subscriber-loop-control
    bridge-group 218 block-unknown-source
    no bridge-group 218 source-learning
    no bridge-group 218 unicast-flooding
    bridge-group 218 spanning-disabled
    !
    interface Dot11Radio0.318
    encapsulation dot1Q 318
    no ip route-cache
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    bridge-group 3 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    !
    interface FastEthernet0.4
    encapsulation dot1Q 4
    no ip route-cache
    bridge-group 4
    no bridge-group 4 source-learning
    bridge-group 4 spanning-disabled
    !
    interface FastEthernet0.16
    encapsulation dot1Q 16
    no ip route-cache
    bridge-group 16
    no bridge-group 16 source-learning
    bridge-group 16 spanning-disabled
    !
    interface FastEthernet0.216
    encapsulation dot1Q 216 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0.218
    encapsulation dot1Q 218
    no ip route-cache
    bridge-group 218
    no bridge-group 218 source-learning
    bridge-group 218 spanning-disabled
    !
    interface FastEthernet0.318
    encapsulation dot1Q 318
    no ip route-cache
    bridge-group 3
    no bridge-group 3 source-learning
    bridge-group 3 spanning-disabled
    !
    interface BVI1
    ip address 192.168.16.61 255.255.255.224
    no ip route-cache
    !
    ip default-gateway 192.168.16.62
    no ip http server
    no ip http secure-server
    ip http help-path
    http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    !
    logging snmp-trap emergencies
    logging snmp-trap alerts
    logging snmp-trap critical
    logging snmp-trap errors
    logging snmp-trap warnings
    radius-server host 192.168.16.35 auth-port 1812 acct-port 1813 key 7 xxxxx
    !
    control-plane
    !
    bridge 1 route ip
    !
    !
    !
    line con 0
    transport preferred all
    transport output all
    line vty 0 4
    password 7 xxxxx
    transport preferred all
    transport input all
    transport output all
    line vty 5 15
    transport preferred all
    transport input all
    transport output all
    !
    end
     
    caroline brunel, May 24, 2005
    #1
    1. Advertising

  2. Hi,

    I didn't receive any response... Does someone know if what I'm trying to
    configure is possible ?

    Many thanks!

    Caroline.

    caroline brunel a écrit :
    > Hello,
    >
    > I'm trying to affect VLANs dynamically on the Cisco AP1100. The
    > authentication works but the client always stays in the default vlan
    > (vlan 4 for ssid guest2). 802.1x authentication with fixed vlan works
    > (vlan 318 for ssid v318). Could someone help me please ?
    >
    > Many thanks by advance!
    >
    > Caroline.
    >
    >
    > Radius config :
    > ---------------
    > test318 User-Password == "xxxxxxx"
    > Tunnel-Medium-Type:1 = 6,
    > Tunnel-Type:1 = 13,
    > Tunnel-Private-Group-ID:1 = 318,
    > Fall-Through = No
    >
    > AP1100 config :
    > ---------------
    > ap#sho runn
    > Building configuration...
    >
    > Current configuration : 5326 bytes
    > !
    > version 12.3
    > no service pad
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > service password-encryption
    > !
    > hostname ap
    > !
    > enable secret 5 xxxxxxx
    > !
    > ip subnet-zero
    > ip name-server 192.168.16.35
    > !
    > !
    > aaa new-model
    > !
    > !
    > aaa authentication login default line
    > aaa authentication login eap_methods group radius enable
    > aaa authentication login mac_methods local
    > aaa accounting network eap_methods start-stop group radius
    > aaa session-id common
    > !
    > dot11 ssid guest2
    > vlan 4
    > authentication open optional eap eap_methods
    > accounting eap_methods
    > guest-mode
    > !
    > dot11 ssid inter-ap
    > authentication open mac-address mac_methods
    > !
    > dot11 ssid v016
    > vlan 16
    > authentication open eap eap_methods
    > authentication network-eap eap_methods
    > authentication key-management wpa optional
    > !
    > dot11 ssid v216
    > vlan 216
    > authentication open
    > authentication key-management wpa optional
    > infrastructure-ssid optional
    > !
    > dot11 ssid v218
    > vlan 218
    > authentication open eap eap_methods
    > authentication network-eap eap_methods
    > authentication key-management wpa optional
    > !
    > dot11 ssid v318
    > vlan 318
    > authentication open eap eap_methods
    > accounting eap_methods
    > !
    > !
    > !
    > !
    > bridge irb
    > !
    > !
    > interface Dot11Radio0
    > no ip address
    > no ip route-cache
    > !
    > encryption vlan 218 mode ciphers tkip wep128
    > !
    > encryption vlan 216 mode ciphers tkip wep128
    > !
    > encryption vlan 16 mode ciphers tkip wep128
    > !
    > ssid guest2
    > !
    > ssid inter-ap
    > !
    > ssid v016
    > !
    > ssid v216
    > !
    > ssid v218
    > !
    > ssid v318
    > !
    > short-slot-time
    > speed basic-11.0 54.0
    > rts threshold 2312
    > power local cck 1
    > power local ofdm 1
    > channel 2457
    > station-role root
    > no dot11 extension aironet
    > dot1x reauth-period server
    > !
    > interface Dot11Radio0.4
    > encapsulation dot1Q 4
    > no ip route-cache
    > no cdp enable
    > bridge-group 4
    > bridge-group 4 subscriber-loop-control
    > bridge-group 4 block-unknown-source
    > no bridge-group 4 source-learning
    > no bridge-group 4 unicast-flooding
    > bridge-group 4 spanning-disabled
    > !
    > interface Dot11Radio0.16
    > encapsulation dot1Q 16
    > no ip route-cache
    > bridge-group 16
    > bridge-group 16 subscriber-loop-control
    > bridge-group 16 block-unknown-source
    > no bridge-group 16 source-learning
    > no bridge-group 16 unicast-flooding
    > bridge-group 16 spanning-disabled
    > !
    > interface Dot11Radio0.216
    > encapsulation dot1Q 216 native
    > no ip route-cache
    > no cdp enable
    > bridge-group 1
    > bridge-group 1 subscriber-loop-control
    > bridge-group 1 block-unknown-source
    > no bridge-group 1 source-learning
    > no bridge-group 1 unicast-flooding
    > bridge-group 1 spanning-disabled
    > !
    > interface Dot11Radio0.218
    > encapsulation dot1Q 218
    > no ip route-cache
    > bridge-group 218
    > bridge-group 218 subscriber-loop-control
    > bridge-group 218 block-unknown-source
    > no bridge-group 218 source-learning
    > no bridge-group 218 unicast-flooding
    > bridge-group 218 spanning-disabled
    > !
    > interface Dot11Radio0.318
    > encapsulation dot1Q 318
    > no ip route-cache
    > bridge-group 3
    > bridge-group 3 subscriber-loop-control
    > bridge-group 3 block-unknown-source
    > no bridge-group 3 source-learning
    > no bridge-group 3 unicast-flooding
    > bridge-group 3 spanning-disabled
    > !
    > interface FastEthernet0
    > no ip address
    > no ip route-cache
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet0.4
    > encapsulation dot1Q 4
    > no ip route-cache
    > bridge-group 4
    > no bridge-group 4 source-learning
    > bridge-group 4 spanning-disabled
    > !
    > interface FastEthernet0.16
    > encapsulation dot1Q 16
    > no ip route-cache
    > bridge-group 16
    > no bridge-group 16 source-learning
    > bridge-group 16 spanning-disabled
    > !
    > interface FastEthernet0.216
    > encapsulation dot1Q 216 native
    > no ip route-cache
    > bridge-group 1
    > no bridge-group 1 source-learning
    > bridge-group 1 spanning-disabled
    > !
    > interface FastEthernet0.218
    > encapsulation dot1Q 218
    > no ip route-cache
    > bridge-group 218
    > no bridge-group 218 source-learning
    > bridge-group 218 spanning-disabled
    > !
    > interface FastEthernet0.318
    > encapsulation dot1Q 318
    > no ip route-cache
    > bridge-group 3
    > no bridge-group 3 source-learning
    > bridge-group 3 spanning-disabled
    > !
    > interface BVI1
    > ip address 192.168.16.61 255.255.255.224
    > no ip route-cache
    > !
    > ip default-gateway 192.168.16.62
    > no ip http server
    > no ip http secure-server
    > ip http help-path
    > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    > ip radius source-interface BVI1
    > !
    > logging snmp-trap emergencies
    > logging snmp-trap alerts
    > logging snmp-trap critical
    > logging snmp-trap errors
    > logging snmp-trap warnings
    > radius-server host 192.168.16.35 auth-port 1812 acct-port 1813 key 7 xxxxx
    > !
    > control-plane
    > !
    > bridge 1 route ip
    > !
    > !
    > !
    > line con 0
    > transport preferred all
    > transport output all
    > line vty 0 4
    > password 7 xxxxx
    > transport preferred all
    > transport input all
    > transport output all
    > line vty 5 15
    > transport preferred all
    > transport input all
    > transport output all
    > !
    > end
     
    caroline brunel, May 27, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Didier CONTIS

    802.1x + vlan + freeradius

    Didier CONTIS, Dec 11, 2003, in forum: Cisco
    Replies:
    0
    Views:
    2,435
    Didier CONTIS
    Dec 11, 2003
  2. Smash
    Replies:
    0
    Views:
    509
    Smash
    Dec 17, 2003
  3. Pavlov
    Replies:
    1
    Views:
    629
    Andrej Brkic
    Dec 2, 2004
  4. Matthew Boehm

    Cisco PIX and FreeRADIUS

    Matthew Boehm, Nov 23, 2004, in forum: Cisco
    Replies:
    5
    Views:
    2,989
    Matthew Boehm
    Nov 26, 2004
  5. Steffen M. Steck

    Concentrator and freeradius

    Steffen M. Steck, Nov 8, 2005, in forum: Cisco
    Replies:
    0
    Views:
    432
    Steffen M. Steck
    Nov 8, 2005
Loading...

Share This Page