We tested AP6511 at Correos with RADIUS dynamic VLAN and it did not work. Same scenario worked fine with Wing4 RSF7000+AP650. First of all, of course UP1 interface was properly set to trunk mode and the right VLANs were specified. Ethernet switch was also properly configured and we actually could connect to AP6511. Three VLANs were involved: 500 as "native/admin", to get into AP6511 and so. 240 and 242 as "variable" VLANs to forward wireless traffic as RADIUS tells AP6511, both on the same WLAN. We first only checked Allow Radius Override radio button, which did not work; so we then tried to also uncheck Single VLAN radio button in order to specify all the two required VLANs (otherwise only one VLAN is allowed). No way to uncheck this one! So we went to the CLI. In this case, we tried to use vlan-pool-member to add these VLANs, to no avail. This command is not even valid!! So, first question: does AP6511 work with Dynamic VLANs? If so, is there a bug or is this a mistake (two actually, one on GUI, the other on CLI) I might have made? How do I then set AP6511 to work with RADIUS dynamic VLANs?
AP6511 RADIUS dynamic VLAN |
4 Replies
Thanks Jared! Let me first explain that I tried this VLAN pool thing after checking "Allow Radius Override" did not work. Now I understand it has nothing to do with my problem. I have noticed two major differences between your scenario and mine: First, you use a RFS4000+AP650, and I used an AP6511 in standalone bridged mode (i.e, "normal" AP). Second, you used internal RADIUS while I used external RADIUS . You assign VLAN 1 to group Admin, and 10 to Users. I do not think this is the root cause because this very RADIUS is working fine with RFS7000+AP650 Wing4. It is a ACS, by the way. In both cases, we obviously used trunking (AP6511 up1 and RFS4000 ge3). I suspect that maybe AP6511 firmware does not support Dynamic VLAN when in standalone mode. Can someone confirm or not? On the other hand, could you do me a BIG favour, Jared, if you are so kind? I would do but I do not have a known-to-work system :( . Take a AP6511, configure as standalone bridged, check this "allow radius override", configure up1 as trunk for VLAN1 and 10, and finally create your Dot1X WLAN, except RADIUS is RFS4000's! This would replicate my scenario, but with a known-to-work RADIUS. THANKS!!
Hi Juan, At this time there are no known issues with the AP6511 and dynamic VLANs using the latest 5.1 release. They should be supported. Can I ask you to please get in touch with support and open a ticket with them? If it's a config issue they'll be able to advise and if it's a bug they'll be able to get it into the system so we can get it fixed asap. With 5.2 in Beta we need to get possible issues identified quickly. Many thanks! Mike
Thanks to you, Mike!
Dynamic VLAN configuration via RADIUS Override does not require that you configure a VLAN pool. VLAN pooling is used only when you want to load balance users across the set of VLANs specified in the pool. This is why you're unable to uncheck the "Single VLAN" radio button in the UI and the command to configure a VLAN pool from the CLI is invalid. The single VLAN specified would be the VLAN which users would be placed onto by default should that user not be configured with a RADIUS VLAN attribute. RADIUS Override functions by placing the user's traffic onto the VLAN specified in the RADIUS attribute. All that is required from a VLAN configuration perspective is that the AP and/or the controller have VLAN membership to all required VLANs (and trunk ports on the wired infrastructure, of course). Whether the VLAN is configured on the AP or the controller is determined by how the traffic is being bridged - locally or tunneled. For locally bridged VLAN, the AP must have that VLAN allowed on it's trunk port, and for tunneled VLANs the RFS must have the same. Attached is my working lab configuration for RADIUS VLAN Override running on an RFS4000 and AP650, WiNG 5.1.0-74R.