Cisco Cisco 2000 Series Wireless LAN Controller Manual Técnico
Components Used
The information in this document is based on these software and hardware versions:
Cisco 5508 WLC that runs firmware release 7.0.220.0
•
Cisco 3502 Series LAP
•
Microsoft Windows 7 Native Supplicant with Intel 6300−N Driver Version 14.3
•
Cisco Secure ACS that runs version 5.2
•
Cisco 3560 Series Switch
•
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Dynamic VLAN Assignment with a RADIUS Server
In most WLAN systems, each WLAN has a static policy that applies to all clients associated with a Service
Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations
because it requires clients to associate with different SSIDs in order to inherit different QoS and security
policies.
Set Identifier (SSID), or WLAN in the controller terminology. Although powerful, this method has limitations
because it requires clients to associate with different SSIDs in order to inherit different QoS and security
policies.
However, the Cisco WLAN solution supports identity networking. This allows the network to advertise a
single SSID, but allows specific users to inherit different QoS, VLAN attributes, and/or security policies
based on the user credentials.
single SSID, but allows specific users to inherit different QoS, VLAN attributes, and/or security policies
based on the user credentials.
Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the
credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS
authentication server, such as Cisco Secure ACS. This can be used, for example, to allow the wireless host to
remain on the same VLAN as it moves within a campus network.
credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS
authentication server, such as Cisco Secure ACS. This can be used, for example, to allow the wireless host to
remain on the same VLAN as it moves within a campus network.
As a result, when a client attempts to associate to a LAP registered with a controller, the LAP passes the
credentials of the user to the RADIUS server for validation. Once the authentication is successful, the
RADIUS server passes certain Internet Engineering Task Force (IETF) attributes to the user. These RADIUS
attributes decide the VLAN ID that should be assigned to the wireless client. The SSID (WLAN, in terms of
WLC) of the client does not matter because the user is always assigned to this predetermined VLAN ID.
credentials of the user to the RADIUS server for validation. Once the authentication is successful, the
RADIUS server passes certain Internet Engineering Task Force (IETF) attributes to the user. These RADIUS
attributes decide the VLAN ID that should be assigned to the wireless client. The SSID (WLAN, in terms of
WLC) of the client does not matter because the user is always assigned to this predetermined VLAN ID.
The RADIUS user attributes used for the VLAN ID assignment are:
IETF 64 (Tunnel Type) − Set this to VLAN.
•
IETF 65 (Tunnel Medium Type) − Set this to 802.
•
IETF 81 (Tunnel Private Group ID) − Set this to VLAN ID.
•
The VLAN ID is 12−bits, and takes a value between 1 and 4094, inclusive. Because the
Tunnel−Private−Group−ID is of type string, as defined in RFC 2868
Tunnel−Private−Group−ID is of type string, as defined in RFC 2868
for use with IEEE 802.1X, the
VLAN ID integer value is encoded as a string. When these tunnel attributes are sent, it is necessary to fill in
the Tag field.
the Tag field.
As noted in RFC2868
, section 3.1: The Tag field is one octet in length and is intended to provide a
means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this