[c-nsp] 802.1x with radius server and cisco AP

Zacchello Marco Marco.Zacchello at netengineering.it
Fri Mar 9 05:53:40 EST 2007


Hi to all,

We are working on 802.1x, with dynamic VLAN assignment by radius server
(free radius).
Everything is working with the wired part of the system (c2950), the
802.1x clients are asked for credentials, and then if the auth is
successfull, the corresponding switch port is dynamically assigned to
the vlan associated to the user.
Now we are working with cisco AIR-AP1131AG-E-K9 (Version 12.3(8)JA2),
PEAP on the clients, and the same radius server.
The clients get authenticated, the radius forward to the AP the vlan
attributes:

*IETF 64 (Tunnel Type): Set this attribute to VLAN
*IETF 65 (Tunnel Medium Type): Set this attribute to 802
*IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id 

(the same used with the c2950 switch), but the ap doesn't override the
vlan statically associated with the ssid.

Cisco says
that(http://cisco.com/en/US/products/hw/wireless/ps430/products_configur
ation_guide_chapter09186a0080607188.html):
The VLAN-mapping process consists of these steps:
1. A client device associates to the access point using any SSID
configured on the 
access point.
2. The client begins RADIUS authentication.
3. When the client authenticates successfully, the RADIUS server maps
the client to     a specific VLAN, regardless of the VLAN mapping
defined for the SSID the client is using on the access point. If the
server does not return any VLAN attribute for the client, the client is
assigned to the VLAN specified by the SSID mapped locally on the access
point.


Any ideas how to configure the AP to  override the VLAN?


Regards


Marco

 



More information about the cisco-nsp mailing list