hello all, I'm using RFS4000 v5.1.0.0.74R and ap650. I'm trying to set a config with & WLAN with mac authentication for dynamic vlan assignment. Is this featured working in WINg5.1 ? My result is that radius is not used when authentication/mac is selected in WLAN/security. I see that all wifi clients are allowed to connect. I can see vlan load balancing, but not dynamic vlan. Option "allow radius vlan override"is checked. Logs do not show radius handshake for wifi clients. I'm awaiting to see wifi client affected to vlan depending on their mac address. I'm using on board controller What am l missing for radius to run ? I have attached the startup-config file(mac-auth.txt). any idea ?
WiNG5.1 mac authentication dynamic vlans working ?// Expert user has replied. |
2 Replies
I have had trouble getting on-board RADIUS to work when my server policy is set as you have it with server type "onboard-controller". Maybe someone from the BU can bring clarity to this, but I've been running my system with my server type set to "host" pointing it to the management IP of my RFS4000 (as we did in WiNG 4.x), and it is working well. See my event log below from a test I ran this morning to show RADIUS VLAN override working for an EAP auth'd WLAN. You can see my DRIOD successfully connecting to the same SSID using two different sets of EAP credentials and being placed onto the appropriate VLAN (read from bottom-up). 2011-07-05 09:48:07 5C-0E-8B-33-77-B0 DOT11 WPA_WPA2_SUCCESS Client 'F8-7B-7A-50-E4-B8' completed WPA2-AES handshake on wlan 'Dot1X' radio 'ap650LAB:R1' 2011-07-05 09:48:07 5C-0E-8B-33-77-B0 DOT11 EAP_SUCCESS Client 'F8-7B-7A-50-E4-B8' 802.1x/EAP (type:peap) authentication success on wlan 'Dot1X' radio 'ap650LAB:R1' 2011-07-05 09:48:07 5C-0E-8B-33-77-B0 AAA RADIUS_VLAN_UPDATE Assigning Radius server specified vlan 1 to client 'F8-7B-7A-50-E4-B8' on wlan 'Dot1X' 2011-07-05 09:48:06 5C-0E-8B-33-77-B0 DOT11 CLIENT_ASSOCIATED Client 'F8-7B-7A-50-E4-B8' associated to wlan 'Dot1X' ssid 'Dot1X' on radio 'ap650LAB:R1' 2011-07-05 09:47:28 5C-0E-8B-33-77-B0 DOT11 CLIENT_DISASSOCIATED Client 'F8-7B-7A-50-E4-B8' disassociated from wlan 'Dot1X' radio 'ap650LAB:R1': client initiated (reason code:1) 2011-07-05 09:45:40 5C-0E-8B-33-77-B0 DOT11 WPA_WPA2_SUCCESS Client 'F8-7B-7A-50-E4-B8' completed WPA2-AES handshake on wlan 'Dot1X' radio 'ap650LAB:R1' 2011-07-05 09:45:40 5C-0E-8B-33-77-B0 DOT11 EAP_SUCCESS Client 'F8-7B-7A-50-E4-B8' 802.1x/EAP (type:peap) authentication success on wlan 'Dot1X' radio 'ap650LAB:R1' 2011-07-05 09:45:40 5C-0E-8B-33-77-B0 AAA RADIUS_VLAN_UPDATE Assigning Radius server specified vlan 10 to client 'F8-7B-7A-50-E4-B8' on wlan 'Dot1X' 2011-07-05 09:45:40 5C-0E-8B-33-77-B0 DOT11 CLIENT_ASSOCIATED Client 'F8-7B-7A-50-E4-B8' associated to wlan 'Dot1X' ssid 'Dot1X' on radio 'ap650LAB:R1' So the feature works. It sounds like your RADIUS authentication isn't even happening, so try changing your server type to "host". Also, It does not look like your RADIUS Groups are applied to your RADIUS Server Policy, and LDAP Group Verification doesn't appear to be enabled. Once RADIUS auth is working, this may prevent the group assigned VLAN from being provided for RADIUS VLAN override to work. (config-radius-server-policy-)*# use radius-group Group10 use radius-group Group20 ldap-group-verification
Jared, I have radius server policy attached to rfs4000 device, then radius server does not start (radius server timeout in the logs) When I attach radius server policy to a rfs4000 profile, radius server does start then, (both cases using onboard-controller). I will try the host config as well. I'm also missing ldap group verification. I will try mac authentication. could you post your startup-config please ?