WiNG Express Radius VLAN Assignment

[jcoehoorn]

I have an AP7502E (5.7.0) that I'm using to evaluate the platform before making a larger commitment. One of the things I wanted to try was using the onboard radius server to make an 802.1x vlan assignment.

So I set up 3 vlans (IDs 1,2,3) for testing. I set up an open wireless network (no encryption or guest portal) on vlan 1, connect a device, and I get an address on the vlan 1 subnet. I change the SSID to use vlan 2, reconnect, and get an address on the vlan 2 subnet. The same for vlan 3, so I've tested each vlan independently. I'm using an external dhcp server for this.

Now I go to the radius configuration and I setup two groups: one for vlan 2, and the other for vlan 3. I create one user for each group, and then enable the server. I then go back to the wireless configuration, set it for vlan 1, and set it to use 802.1x with the internal radius server.

At this point I try to reconnect my test device. It prompts me to login, and I can successfully login with either of the two users I created previously. However, for both users I still end up assigned an address from vlan 1, instead of the vlan for the user's radius group.

So far, other than this issue, I really like the platform. It's in many ways comparable to Cisco and 1/4 the cost, so I'd hate to give up on it over this. What am I doing wrong?

[jcoehoorn]

Okay, what I've found is that you cannot do this via the WiNG Express GUI at this time, but I can make it work via the command line. Here is the code that I found:

$ en
# conf t
# wlan  <name>
# radius vlan-assignment
# commit write

[McNulty]

Ooh that's a gotcha.
So does the Express GUI actually have the menu options, but clicking them has no effect?

Express is still new and is a learning experience for everyone at the moment!

[jcoehoorn]

You can configure the radius user and groups, but on the wireless page there is only the option to set the vlan. The vlan set for the radius group is just ignored.

I expected either that turning on 802.1x implied that the radius vlan assignment (if any) would override the vlan set for the wireless, but this does not happen. The only way to make it happen is via that command line option. Maybe there will be a checkbox for this in the future.

Also, after applying this setting I went to do a load test. We have a couple iPad carts for a classroom that needed to update to iOS 8.3, and then update a bunch of apps. I pulled out the first cart, and after a 1/2 hour things started to slow down. Within 5 hours I had a hard time even connected to the Apple App store, or even loading a YouTube video. Strangely, regular web browsing tended to be okay, but anything on a non-standard port or that used encryption wasn't working. Connecting the same device to our regular network was fine. I eventually had to remove power to the AP for a few minutes, and it was fine after that. Unfortunately, that's a failed load test.

The good news is that for the 2nd cart I went back to a completely open SSID (not even captive portal), and everything was fine. I'm gonna wait until I can get a real controller in here and re-run the test with security before passing judgement, but this is a concern. I've played with small APs before and been burned this way.

[McNulty]

For requirements you should probably be using the full Wing, not the Express