Hello all, I recently was given a strange task. An office needs to have everyone in there office on different vlans. The reason for this is that each user is developing software and they need to test VIA wireless to other wireless devices. Lots and Lots of broadcast, as well as different subnets.
Meraki Dynamic Vlan Assignment
Atheros ar5009 driver windows 7 32 bit. So, how can we separate each of these users wirelessly and give each of them their own “play space”? You can accomplish this a couple ways: We can have 100 different WLANs, each with their own Vlans, or use 1 SSID and use Dynamic Vlans to separate them out.The tools I will be using are – Ruckus Wireless Zondirector, and APs, Microsoft NPS, and Wireshark to take a better look at what is happening at the packet level.So first lets setup everything. We need to use 802.1x authentication for WLAN Access. I will not walk through all the steps here but definitely do another blog entry on setting that up.
So lets assume as of now we have 802.1x working great for authentication.Our next step is that we need to create new Security Groups in AD and add our users to them. I added groups that reflected the Vlan name. For example WIFI-VLan-150 and then added my user I want to get VLAN 150 to.Next lets create our Radius Policies.Create a new Network Policy- match the Group, add your Encryption and other settings. See below:Then add your Constraints that you would like:Next the magic happens – we have to add in our Radius attributes. These are Standard radius attributes. We will add 4 802.1x attributes.Attributes to add:1. Tunnel-Assignment-ID – String – Vlan ID.2.
Tunnel-Type – Select Virtual Lans (VLANS)3. Tunnel-Medium-Type – Value – 802 – Commonly used for 802.1x4. Tunnel-Pvt-Group-ID – Value – String – Vlan ID. Note – I did not add this at first, this attribute is what fixed my issue, and successfully pushed the Vlan ID to my client.Here is a screenshot of all the attributes:Make sure this policy is above your default policies.
The next screen shot shows my order of policies. Notice I have one for 666 vlan, and 150. Then there is a domain computer, then a catch all for domain users.That’s it for Radius, now we need to create the WLAN for in Ruckus for our Dynamic Vlans.
Remember, we are assuming everything works great with Radius authentication from the get go.The main thing when creating the WLAN in Ruckus is to use 802.1x for authentication, and then under “Advanced” check the “Dynamic Vlan” box. You will notice I am using “SRV-dir03” For authentication (My Radius Server). Apply this and we should be golden.To check and make sure you are on the correct vlan/wlan you can always check your ip address or look into Ruckus and see what your info is. You Notice mine –.
I'm trying to setup port based authentication. I have one question that i cant seem to find a solid answer for. Everything I've been looking at so far seems to indicate that the extent of the vlan assignment abilities are either authenticated or unauthenticated. In other words, it seems that there are only one or two vlans that can be used with port based authentication.I would like to setup a guest vlan for un-authenticated user, and I would like the authenticated users to be assigned to a vlan based on securtiy group. For example, Finance should go to vlan 4, Devs should go to vlan 3, IT should go to vlan 7.
Is this sort of thing possible, or do can I only use two vlans when it comes to 802.1x.Thanks in advance. So the unauth-vid, auth-vid, etc. That's if you want the switch to assign the vlans based on successful/failed auth.If you want it assigned depending on the AD groups, then that is where you would send back the vlan from a radius server (Microsoft NPS for example). In the radius policies you would configure the mappings to the AD groups.This is documented in the advanced traffic management guide if I remember right, for the HPE device that is. And that is more about what attributes to use, not about setting up NPS.
I don't see any obvious issues. Do the problems occur on all SSIDs? I see your guest ssid goes out it's own port, I don't see how a client there could draw from different DHCP scopes.You might try putting a VLAN on an unused port, then plugging in a laptop to see what it gets from DHCP.
That gets 1X, RADIUS, and the WLC out of the way.set port 8 name testset vlan 5 port 8to try a different VLAN:clear vlan 5 port 8set vlan 4 port 8Also, 'show sessions' will tell you to which VLAN each client has been assigned. I'm sure there's something similar in Ringmaster, but I can't help there.
Mike,I've been through all that. Drop me a mail and I can go through the NPS setup with you.
Alot depends on having a valid cert for PEAP.As for the Vlans, are you using Ringmaster? I've attached the view from one of my controllers. Loads of vlans are sharing a single port. You just need to make sure that the default vlan matches on the switch port and on the WLC port, and then match the tagged ports. Sedimentary geology prothero ebook library.
![Dynamic Dynamic](https://netconfigure.net/media/kunena/attachments/67/26.jpg)
Unless you give the controller Vlan an IP address (As i've done on a few, you wont be able to ping something.
This is layed out extremely well. It convinced me to (attempt) move to a port ACL driven NAP implementation.I’ve hit a road block though in passing a RADIUS attribute to the switch will accept as a port ACL change. I’ve tried both the filter-id and cisco av-pair methods (I am running a Catalyst 4500 IOS 12.2(50)SG1). Has any one successfully implemented port ACLs on Cisco?
I am curious the syntax that was or would be used for the RADIUS attributes you passed. This would be a tremendous help! I’ve Googled this extensively and tried MANY different syntaxes. All valid info.
I ran through all of that in my many attempts to get the syntax correct.Turns out that my port wouldn’t accept an ACL because I was using 'multi-domain' authentication mode. This allows for 2 devices to auth on a single port (IP phone tethered with PC). To use filter-id you must be in 'single-host' authentication mode or portACLs are disabled.Enter downloadable ACLs. DACLs SHOULD allow for ACLs on ports with multiple devices. The switch tracks the IP address of the devices and modifies the ACL appropiately. Mogali rekulu serial episode 100 criminal minds.
The trouble is, all reference to DACL config deals with ACS Radius. I really want to use this with NPS (andNAP of course:). Has anyone been able to use DACLs with a Radius server other than ACS??? Radius is a STANDARD so I have to believe its achievable.Also I wanted to share this KB as well. Both methods detailed didnt work for me, but may work for others. SBAP,For Cisco devices they are a bit picky when it comes to what attributes it receives as I have run into this at other customer sites. For instance, if you send both VLAN attributes as well as the Filter-ID the device will simply not respond and it is tough to troubleshoot.For ACL’s Cisco devices require that you define the ACL first on the switch, then send the Filter-ID attribute configred with a string value to reference the ACL.
For example, if you have an inbound ACL defined as '10', then the filter ID attribute value you would send would configure and send back would be '10.in'. If your ACL isn’t referencing inbound or outbound traffic, then you don’t need to configure the '.in' or '.out' and th string value for the Filter-ID would just be '10'.Hope this helps.Pat.