Cisco – Configure Cisco Aironet 1600 AP with RADIUS and multiple VLANs

ciscoradiusvlanwireless

I have a little problem to realize a AP solution on a small office environment. At first I do not have any skills in configuring Cisco Access Points 😉

I have the following environment: A small office about 15 people and a network which is segmented into 2 VLANs (VLAN100 for clients and RADIUS server and VLAN200 for guests with very restricted access. The AP is connected on a L3 switch port with access on both VLANs.

Now if someone uses the AP, an authentication is required over the RADIUS server in VLAN100. On the RADIUS server I configured the NPS server role (Windows Server 2008R2) with 2 network policies (for each VLAN one policy) to grant access by successfull authentication.

Finally I have the problem if someone authenticates himself by using a guest account, he gets no network connectivity cause he does not know the VLAN. – Are there best practice tutorials for CISCO APs with RADIUS and VLANs or something like that, maybe someone has a better idea to realize that authentication/VLAN tagging procedure?


Ok here is the config, maybe I made a mistake:

Current configuration : 4225 bytes
!
! Last configuration change at 01:17:55 +0100 Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP01
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 172.0.0.30
!
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
no ip routing
no ip cef
ip domain name domain.local
ip name-server 172.0.0.31
ip name-server 172.0.0.30
ip name-server 172.0.0.28
!
!
!
no dot11 syslog
!
dot11 ssid WLAN-SSID
   vlan 100
   authentication open eap eap_methods
   authentication key-management wpa version 2
   mbssid guest-mode
!
!
power inline negotiation prestandard source
crypto pki token default removal timeout 0
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 100 mode ciphers aes-ccm
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 200 mode ciphers aes-ccm
 !
 ssid WLAN-SSID
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 spanning-disabled
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
!
interface Dot11Radio0.200
 encapsulation dot1Q 200
 no ip route-cache
 bridge-group 200
 bridge-group 200 subscriber-loop-control
 bridge-group 200 spanning-disabled
 bridge-group 200 block-unknown-source
 no bridge-group 200 source-learning
 no bridge-group 200 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 100 mode ciphers aes-ccm
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 200 mode ciphers aes-ccm
 !
 ssid WLAN-SSID
 !
 antenna gain -128
 no dfs band block
 stbc
 beamform ofdm
 mbssid
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 spanning-disabled
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
!
interface Dot11Radio1.200
 encapsulation dot1Q 200
 no ip route-cache
 bridge-group 200
 bridge-group 200 subscriber-loop-control
 bridge-group 200 spanning-disabled
 bridge-group 200 block-unknown-source
 no bridge-group 200 source-learning
 no bridge-group 200 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 bridge-group 100 spanning-disabled
 no bridge-group 100 source-learning
!
interface GigabitEthernet0.200
 encapsulation dot1Q 200
 no ip route-cache
 bridge-group 200
 bridge-group 200 spanning-disabled
 no bridge-group 200 source-learning
!
interface BVI1
 ip address 172.0.10.5 255.255.255.0
 no ip route-cache
!
interface BVI100
 ip address dhcp
 no ip route-cache
!
interface BVI200
 ip address dhcp
 no ip route-cache
!
ip default-gateway 172.0.10.250
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server host 172.0.0.30 key *******
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
sntp broadcast client
end

Best Answer

One way to solve this problem is to change the AP connection to a layer 2 trunk with both VLANs on the trunk. You can have two different SSIDs (one for users, one for guests) and each SSID is associated with a VLAN. When a client connects to the Guest SSID, her data goes on VL 200; a regular user's data goes on VL 100.

You will need separate DHCP scopes for each VLAN, either on the AP or a central DHCP server.