In this post we will see how to use “AAA override” feature of a WLAN combined with RADIUS server configuration, to override settings assigned by WLAN. You can change VLAN, QoS profile with 802.1p, ACL, etc using this this.
Image may be NSFW.
Clik here to view.
We will create a WLAN called “data-7″ on WLC2 with WPA2/AES authentication /encryption & map it onto management interface. Once a guest user is authenticated via ACS, AAA should override this user vlan to vlan7 (192.168.7.x/24) and QoS profile to Gold with 802.1p value of 5.
I have used CLI config to define WLAN & if you prefer GUI you can follow that method as well. First you need to create interface on WLC & trunk it across the switch port connected WLC2.
(WLC2) >config interface create vlan7 7 (WLC2) >config interface address dynamic-interface vlan8 192.168.7.15 255.255.255.0 192.168.7.1 (WLC2) >config interface dhcp dynamic-interface vlan7 primary 192.168.7.1 ! CAT3 interface Port-channel1 switchport trunk native vlan 999 switchport trunk allowed vlan 7-18,112 switchport mode trunk switchport nonegotiate ! CAT2 interface Vlan7 ip address 192.168.7.1 255.255.255.0 ip dhcp excluded-address 192.168.7.1 192.168.7.100 ip dhcp pool VLAN7 network 192.168.7.0 255.255.255.0 default-router 192.168.7.1 domain-name mrn.com dns-server 192.168.200.1
Then you can define WLAN on WLC2 with AAA- override feature enable. Keep in mind by default layer2 security would be WPA2/AES & hence you do not want to configure any additional security settings. You can configure Radius server under WLAN security ->AAA server section.
(WLC2) >config wlan aaa-override enable 7 (WLC2) >config wlan radius_server auth add 7 1 (WLC2) >config wlan enable 7
Now we can configure ACS for AAA override. I will not shown how to configure WLC for radius & assume ACS is already configured to peer with WLC. If you are not sure see one of my previous post “Configuring WLC for RADIUS“.
Once you do that you would see WLC2 in ACS as below.
Image may be NSFW.
Clik here to view.
I have configured user called “user1″ with password “user1″ on ACS.
Image may be NSFW.
Clik here to view.
Then under “Policy Element-> Authorization & Permissions -> Network Access” you have to configure an “Authorization Profile” by specifying the VLAN you want to assigned to user. You can use Common Attribute – VLAN to configure this easily without going through Radius Attributes.
Image may be NSFW.
Clik here to view.
Once you configure it you can verify the “Radius Attribute” selected for the VLAN assignment. You should see a output similar to below.
Image may be NSFW.
Clik here to view.
Then in “Access Policy” you should have correct identity policy & Authorization policy for this.
Image may be NSFW.
Clik here to view.
Here is my basic Authorization Policy which resulting “guest-8″ authorization profile we created earlier.
Image may be NSFW.
Clik here to view.
Now it is ready to test the client connectivity. Once client associated & authenticated you would see client’s IP is 192.168.7.x even though the WLAN is map to management interface 10.10.112.x.
(WLC2) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 04:f7:e4:ea:5b:66 LAP2 Associated 7 Yes 802.11n(5 GHz) 29 No (WLC2) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. user1 AP MAC Address................................... a0:cf:5b:9e:e8:20 AP Name.......................................... LAP2 Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 7 BSSID............................................ a0:cf:5b:9e:e8:29 Connected For ................................... 27 secs Channel.......................................... 149 IP Address....................................... 192.168.7.101 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... No CCX support Re-Authentication Timeout........................ 1789 Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. 3 WMM Support...................................... Enabled Power Save....................................... OFF Supported Rates.................................. 24.0,36.0,48.0,54.0 Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... WPA2 Authentication Key Management.................... 802.1x Encryption Cipher................................ CCMP (AES) Management Frame Protection...................... No EAP Type......................................... PEAP Interface........................................ vlan7 VLAN............................................. 7 Quarantine VLAN.................................. 0 Access VLAN...................................... 7
In ACS, “Monitoring & Report-> Monitoring & Report Viewer -> AAA Protocol -> Radius Authentication” section you can verify the successful authentication as shown below.
Image may be NSFW.
Clik here to view.
If you click the magnifying glass icon you can see the complete details of the different attributes used. These attributes can be used to create custom policy on your ACS.
Image may be NSFW.
Clik here to view.
Now we will see how we can override the QoS profile using AAA override. For this you can create an another Authorizatoin Profile under “Policy Elements”. This time you have to go to Radius Attributes & select “RADIUS-Cisco Airespace” Dictionary type & then QoS type & 802.1p tag as attribute.
Image may be NSFW.
Clik here to view.
Once you configure these attribute it should looks like this.
Image may be NSFW.
Clik here to view.
Now you can choose this profile(AAA-QoS-Gold) in addition to AAA-VL7 as shown below. Based on the attributes seen in the detail page I have selected a compound condition which contain “data-7″ in called staion-id in order to this AAA override behaviour only applicable to “data-7″ SSID.
Image may be NSFW.
Clik here to view.
This time if you authenticated, you should see QoS profile is gold & 802.1p value is 5, even though WLAN is configured for Silver Profile with 802.1p value of 3.
(WLC2) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. user1 AP MAC Address................................... a0:cf:5b:9e:e8:20 AP Name.......................................... LAP2 Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 7 BSSID............................................ a0:cf:5b:9e:e8:29 Connected For ................................... 7 secs Channel.......................................... 149 IP Address....................................... 192.168.7.101 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... No CCX support Re-Authentication Timeout........................ 1771 Mirroring........................................ Disabled QoS Level........................................ Gold 802.1P Priority Tag.............................. 5 WMM Support...................................... Enabled Power Save....................................... ON Current Rate..................................... m7 Supported Rates.................................. 24.0,36.0,48.0,54.0 Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... WPA2 Authentication Key Management.................... 802.1x Encryption Cipher................................ CCMP (AES) Management Frame Protection...................... No EAP Type......................................... PEAP Interface........................................ vlan7 VLAN............................................. 7 Quarantine VLAN.................................. 0 Access VLAN...................................... 7
This is how you can use this “AAA- Override” feature to dynamically assign the VLAN & QoS profile according to your custom requirement.
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
