Reset Search
 

 

Article

Wireless users are not getting the VLAN assigned in the policy applied

« Go Back

Information

 
TitleWireless users are not getting the VLAN assigned in the policy applied
Symptoms
Wireless user is being assign a policy with a specific VLAN and is getting an IP address in another VLAN
Environment
  • Extreme Control in a proxy RADIUS configuration
  • Identifi Control that is configured for use with RFC 3580
Cause
Proxy RADIUS server is sending Tunnel-Private-Group ID to Extreme Control. Extreme Control profile is set to "Replace RADIUS attributes", but the product does not replace attributes UNLESS the specific attribute is defined in the "RADIUS gateway attributes to send".

Extreme Control does not remove all AVPs in the RADIUS access accept packet from the proxy RADIUS server, it will only replace what it is configured to send.

The Tunnel-Private-Group ID that is sent from the Proxy RADIUS server is being sent along with the filter-id with policy string to the Identifi Controller. Since the Identifi controller is configured to accept RFC3580 (Tunnel-Private-Group ID) it assigns the policy and overrides the policy VLAN to assign the VLAN provided in the Tunnel-Private-Group ID.
Resolution
  1. Remove proxy RADIUS configuration to send Tunnel-Private-Group ID.
  2. Remove RFC 3580 attribute configurations on Identifi
  3. Add "Tunnel-Private-Group-ID=%VLAN_ID%:%VLAN_TUNNEL_TAG%" to RADIUS attributes to send for the EWC and define a VLANID in the policy mappings. This will force Extreme Control to replace the attribute according to the policy mapping.

 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255