• October 31, 2020, 06:13:32 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Radius Authentication Problem with different Vlan  (Read 7302 times)

0 Members and 1 Guest are viewing this topic.

Offline netter007

  • Rookie
  • **
  • Posts: 21
Radius Authentication Problem with different Vlan
« on: May 23, 2013, 07:54:38 PM »
Dear,

I have a problem about wireless connectivity. I have deployed on branch site using AP 6532 and controller 4000 in HO. In the branch site, there's only one vlan, vlan 10. At port of AP, I have set as a access vlan 10, but in the SSID ( bridging local) has setted as a vlan 1. Using this configuration, make user couldn't connect/authenticated via radius. Is it true ? or this issue on another configuration ? ( note: radius configuration is right).Please advice, urgent!!

Thx,



Offline MWG

  • Jr. Member
  • **
  • Posts: 28
Re: Radius Authentication Problem with different Vlan
« Reply #1 on: May 24, 2013, 04:58:00 AM »
Hi netter007,

where is the radius server? Is it the controller in the HO or an external one?
If it is an external radius server you have to set in the AAA policy the Request proxy mode parameter to
Through Wireless Controller. Otherwise each AP will try to "talk" direct to the Radius server which should not happen.
If the Radius server is the internal one, please post your config and I will have a look.



Offline netter007

  • Rookie
  • **
  • Posts: 21
Re: Radius Authentication Problem with different Vlan
« Reply #2 on: May 24, 2013, 06:44:29 AM »
Radius is external from Controller. In the branch, there's an Radius server for authentication for that AP. But I see radius configuration didn't use "proxy through controller", I only add new radius server configuration because of new ip of radius server. and in the radius server has added new radius client. Controller in the HO and AP in the branch, but using local bridging for that SSID.
Please give u advice.
thx,

Offline MWG

  • Jr. Member
  • **
  • Posts: 28
Re: Radius Authentication Problem with different Vlan
« Reply #3 on: May 24, 2013, 07:18:54 AM »
Please try in the AP CLI the command:

service radius test <ip address of the radius server> <shared secret> <radius user account name> <radius account password>

Do you get a reply indicating that the authentication is ok?
If so, the AP is properly configured and something is wrong in your AAA policy.

If not there could be various problems.
Please post your config

Offline netter007

  • Rookie
  • **
  • Posts: 21
Re: Radius Authentication Problem with different Vlan
« Reply #4 on: May 24, 2013, 07:24:05 AM »
Is there problem about vlan for SSID and interface vlan management different? but in port connected to switch is access vlan. and we can connect to this ap from segment radiuse server.

thx,


Offline MWG

  • Jr. Member
  • **
  • Posts: 28
Re: Radius Authentication Problem with different Vlan
« Reply #5 on: May 24, 2013, 07:33:14 AM »
There could be a problem with the VLAN assignment, but that depends again on your config.
If the WLAN is in tunnel mode and the AP's are all MiNT Level 1 adopted it is fine to run the ethernet port of the AP in access mode.
But if the WLAN is set the local breakout the AP should be configured as 802.1q trunk.

Again, please follow my recommendations and post your config.
Otherwise I'm not able to help in a timely manner

Offline netter007

  • Rookie
  • **
  • Posts: 21
Re: Radius Authentication Problem with different Vlan
« Reply #6 on: May 24, 2013, 08:50:56 AM »
This the configuration :

ap6521 5C-0E-8B-F4-B3-D8
 use profile AP6521_PERFETTI
 use rf-domain W_PVMI
 hostname AP6521_JAKARTA_1
 location JAKARTA
 mint link vlan 1
 mint link vlan 2
 ip default-gateway 97.0.0.254
 interface radio1
  wlan WLAN_JKT bss 1 primary
  wlan WLAN_TEMP_VLAN2 bss 2 primary
  wlan WLAN_GUEST_BOGOR bss 3 primary
  wlan W-ICT bss 4 primary
 interface ge1
  switchport mode access
  switchport access vlan 2
 interface vlan1
 interface vlan2
  ip address 97.0.2.60/8
 controller host 94.0.2.50

aaa-policy AAA_JKT
 authentication server 1 host 97.0.0.91 secret 0 wlanpvmi

wlan WLAN_JKT
 ssid W-JKT
 vlan 2
 bridging-mode local
 encryption-type tkip-ccmp
 authentication-type eap
use aaa-policy AAA_JKT

Using this configuration, user could connect properly but after i change ip address for new ip address segment on interface vlan 2 and aaa-policy, but vlan on interface switch connected to ap is vlan 10 mode access. Is this a problems ?

Thx

Offline MWG

  • Jr. Member
  • **
  • Posts: 28
Re: Radius Authentication Problem with different Vlan
« Reply #7 on: May 24, 2013, 09:07:37 AM »
netter007,

both ethernet ports (the one in the AP and the one in the ethernet switch) are in access mode, therefore
the VLAN id does not matter.

But if you change the ip address of the AP you have to change the default gateway too.
Did you try to ping from the AP cli the radius server?
Is the default gateway of the AP still reachable when you change the ip address?
Can you ping the default gateway?

Is the new AP ip address put into the radius server as a client ip?

What is the error message shown in the log file.
Did you try the service radius test command? What was the outcome?

Offline netter007

  • Rookie
  • **
  • Posts: 21
Re: Radius Authentication Problem with different Vlan
« Reply #8 on: May 24, 2013, 09:11:54 AM »
Connectivity from server to AP is okay, no issues, and gateway is configured properly. From ur answer that no problems about vlan for SSID different from interface vlan-management vlan-id, because is connected to access mode port in the switch port ?

Thx,

Offline MWG

  • Jr. Member
  • **
  • Posts: 28
Re: Radius Authentication Problem with different Vlan
« Reply #9 on: May 24, 2013, 09:40:28 AM »
The AP should get only a new ip address.
The VLAN id should stay on 2 like the VLAN id in the WLAN settings.
If you change the VLAN id they have to match in the AP and the WLAN settings.

Offline netter007

  • Rookie
  • **
  • Posts: 21
Re: Radius Authentication Problem with different Vlan
« Reply #10 on: May 24, 2013, 11:30:00 AM »
but, in the existing vlan-id for interface ap and wlan is different but still running well. Because of this, I have confused about this.

Thx

Offline netter007

  • Rookie
  • **
  • Posts: 21
Re: Radius Authentication Problem with different Vlan
« Reply #11 on: May 24, 2013, 12:07:26 PM »
how about mint link vlan vlan-id config ? is this need to change to new vlan ?

Thx,


Offline netter007

  • Rookie
  • **
  • Posts: 21
Re: Radius Authentication Problem with different Vlan
« Reply #12 on: May 25, 2013, 01:07:56 AM »
Hii all,

There's the config :

wlan WLAN_JKT
 ssid W-JKT
 vlan 2
 bridging-mode local
 encryption-type tkip-ccmp
 authentication-type eap
use aaa-policy AAA_JKT

ap6521 5C-0E-8B-F4-B3-D8
mint link vlan 1
 mint link vlan 2
interface radio1
  wlan WLAN_JKT bss 1 primary
 interface ge1
  switchport mode access
  switchport access vlan 2
 interface vlan1
 interface vlan2
  ip address 97.0.2.60/8
 controller host 94.0.2.50

But in the switch's port connected to AP using access mode vlan 10, is user connect to ssid W-JKT could connect and get ip address from segmen vlan 10 ? if yes, this means if we connecting ap to switch as a access mode, it didn't care about vlan assignment on the SSID ? Please advice.

Thx,