Cisco 4404, IAS 2003, and Dynamic VLANS
Posted August 30th, 2008 at 05:07 PM by GroundZero3
One of my earlier post on my blog was documentation on setting up a Cisco Wireless Controller. One of the coolest devices in the world because the idea of managing 100 APS by hand makes me want to cry. We are finally putting the wireless into production for some of our students. We needed to make another SSID with WPA/802.1x on a different VLAN. I added the SSID and security and I noticed this SSID was pulling IP address from our wired DHCP server (10.5.8.x, it was supposed to pull from a 10.5.96.x scope). I know I setup a DHCP scope just for this new vlan with the helper address. I checked on the controller to see what VLAN the client was being dumped in (it was in 10 and I needed it in 91). Here is some information on my setup
VLAN 10 (wired) 10.5.8.x
VLAN 90 (wireless SSID TECHS security WPA/802.1x PEAP) 10.5.88.x
VLAN 91 (wireless SSID Students security WPA/802.1x PEAP) 10.5.96.x
So after 4 days of fighting with this issue, I think I got it worked out. Using this website Configuring IAS and some other MS technet websites it was pretty straightforward (or so I thought). I made two policies in IAS, this fixed the issue of wireless clients getting ip address from VLAN 10, however clients in VLAN 91 were getting ip addresses from VLAN 90. So just to review I had two IAS policies for the wireless
Policy 1 name WirelessVLAN 90
Advance settings: Tunnel-Medium-Type:802
Tunnel-PVT-Group-ID: 90 (string)
Tunnel-type: VLANS
Policy 1 name WirelessVLAN 91
Advance settings: Tunnel-Medium-Type:802
Tunnel-PVT-Group-ID: 91 (string)
Tunnel-type: VLANS
*Note in most documentations they say you have to set up the Tunnel-Tag. I did not enable this option. * So im racking my brain on why all wireless clients hit the first policy and just get dumped into it. Now I know the VLANS work fine, I made a test SSID in VLAN 91 with no security, joined it and dumped me right into the VLAN 91 dhcp pool. So it is IAS causing issues. I keep reviewing the advance options to see if there was something I missed. I was doing debugs of the AAA connections on the WLC, which didn’t help at all. Then I got this idea to set the Tunnel-PVT-Group-ID to the Hexadecimal.
New IAS policies:
Policy 1 name WirelessVLAN 90
Advance settings: Tunnel-Medium-Type:802
Tunnel-PVT-Group-ID: 0x5a (hex)
Tunnel-type: VLANS
Policy 1 name WirelessVLAN 91
Advance settings: Tunnel-Medium-Type:802
Tunnel-PVT-Group-ID: 0x5b (hex)
Tunnel-type: VLANS
Just when I was giving up on any hope it worked!!!!! So putting the vlan id into hexadecimal was the solution. Also note for those who will be attempting this on a WLC cisco documentation says to put the WLAN interface to management with AAA override enabled. I left AAA override enabled, but for the interface I picked the interface I made under controller > interface.
Hope this helps anyone attempting to do this. If you have any questions don’t be afraid to post replies!
VLAN 10 (wired) 10.5.8.x
VLAN 90 (wireless SSID TECHS security WPA/802.1x PEAP) 10.5.88.x
VLAN 91 (wireless SSID Students security WPA/802.1x PEAP) 10.5.96.x
So after 4 days of fighting with this issue, I think I got it worked out. Using this website Configuring IAS and some other MS technet websites it was pretty straightforward (or so I thought). I made two policies in IAS, this fixed the issue of wireless clients getting ip address from VLAN 10, however clients in VLAN 91 were getting ip addresses from VLAN 90. So just to review I had two IAS policies for the wireless
Policy 1 name WirelessVLAN 90
Advance settings: Tunnel-Medium-Type:802
Tunnel-PVT-Group-ID: 90 (string)
Tunnel-type: VLANS
Policy 1 name WirelessVLAN 91
Advance settings: Tunnel-Medium-Type:802
Tunnel-PVT-Group-ID: 91 (string)
Tunnel-type: VLANS
*Note in most documentations they say you have to set up the Tunnel-Tag. I did not enable this option. * So im racking my brain on why all wireless clients hit the first policy and just get dumped into it. Now I know the VLANS work fine, I made a test SSID in VLAN 91 with no security, joined it and dumped me right into the VLAN 91 dhcp pool. So it is IAS causing issues. I keep reviewing the advance options to see if there was something I missed. I was doing debugs of the AAA connections on the WLC, which didn’t help at all. Then I got this idea to set the Tunnel-PVT-Group-ID to the Hexadecimal.
New IAS policies:
Policy 1 name WirelessVLAN 90
Advance settings: Tunnel-Medium-Type:802
Tunnel-PVT-Group-ID: 0x5a (hex)
Tunnel-type: VLANS
Policy 1 name WirelessVLAN 91
Advance settings: Tunnel-Medium-Type:802
Tunnel-PVT-Group-ID: 0x5b (hex)
Tunnel-type: VLANS
Just when I was giving up on any hope it worked!!!!! So putting the vlan id into hexadecimal was the solution. Also note for those who will be attempting this on a WLC cisco documentation says to put the WLAN interface to management with AAA override enabled. I left AAA override enabled, but for the interface I picked the interface I made under controller > interface.
Hope this helps anyone attempting to do this. If you have any questions don’t be afraid to post replies!
Total Comments 0
Comments
Recent Blog Entries by GroundZero3
- Two down, two to go (September 18th, 2008)
- Cisco 4404, IAS 2003, and Dynamic VLANS (August 30th, 2008)
- Update (July 14th, 2008)
- Cisco 4400 Controller HOWTO (January 9th, 2008)
- Where did my motivation go? (September 24th, 2007)
