Wireless Access

I am starting from scratch to set up a wireless network with a 7210 controller. We don't have PEFNG licenses. I thought general wireless network connections should be still possible but for whatever reason, I fail.
 
It's currently version 6.5.0.4. I get the device connected to the SSID and authenticated using 802.1x with our radius server but the controller assigns the role "guest-role".
 
Without PEFNG license I cannot add new roles, I cannot modify roles, I cannot modify the ACLs on the guest-role. The ACLs are empty, thus the implicit deny denies all traffic.
 
I have been searching through the documentation for a couple of hours by now but haven't found how to get this working. All I find uses roles/policies which only work with PEFNG licenses.
 
Is it possible to get this working without PEFNG licenses?
 
Thanks!

What is your 802.1x default role under the AAA profile? Can you change this to authenticated as I believe this allows all even without a PEF-NG license.

 

(wlc-001) #show aaa profile AAA-CORP

AAA Profile "AAACorp"
---------------------
Parameter                           Value
---------                           -----
Initial role                        logon
802.1X Authentication Profile       8021xCorp
802.1X Authentication Default Role  authenticated

 

 

The 802.1x default role option is only available with PEFNG license...

---

@gvde wrote:

I am starting from scratch to set up a wireless network with a 7210 controller. We don't have PFENG licenses. I thought general wireless network connections should be still possible but for whatever reason, I fail.

 

It's currently version 6.5.0.4. I get the device connected to the SSID and authenticated using 802.1x with out radius server but the controller assigns the role "guest-role".

 

Without PFENG license I cannot add new roles, I cannot modify roles, I cannot modify the ACLs on the guest-role. The ACLs are empty, thus the implicit deny denies all traffic.

 

I have been searching through the documentation for a couple of hours by now but haven't found how to get this working. All I find uses roles/policies which only work with PEFNG licenses.

 

Is it possible to get this working without PEFNG licenses?

 

Thanks!

---

Did you use the WLAN Wizard to create your SSID?  It should lead you through the process and be straightforward.  When you say "authenticated via 802.1x without radius server", what is doing the authentication, the controller?

I have used the wizard but also tried a lot more.

It's supposed to say "with our radius"... sorry. Edited the original question...

Did you put the clients in a vlan that exists on the controller?
Do you see your radius server responding to authentication?

RADIUS Authentication works fine. The connection gets authenticated and the user is even assigned to the specific VLAN. The VLAN does exist.

 

When I am connected and run a tcpdump on the wireless interface of the client I can even see the spanning tree frames, but nothing else except the outgoing DHCP requests.

Is there a DHCP server on that VLAN?  If yes, it should respond...

Of course there is a DHCP server on that VLAN and it assigns IP addresses if it receives an DHCP request. But it doesn't receive anything from the wireless client. The wireless client should also receive some other broadcast traffic on that VLAN which I see on a wired client.

 

Again: the controller assigns the guest role to the authenticated user. The guest role has two access lists global-sacl and apprf-guest-sacl which both are empty. If I am not mistaken empty means "implicit deny all". And that's very much matches to what I see with the packet sniffer on the wireless client...

If you don't have a PEF license, there are no "roles" or "acls" because nothing is blocked.  I would try to assign another port on the controller to that VLAN, plug into it wired and see if you get an ip address.

Hi!

 

Sure you can modify the default roles, but you can´t do it from the VAP view. Instead, navigate through Configuration -> Authentication -> AAA Profiles and you should be able to edit the default role of the AAA profile there and assign the "authenticated" role.

 

Cheers,

---

@Christoffer wrote:

Hi!

 

Sure you can modify the default roles, but you can´t do it from the VAP view. Instead, navigate through Configuration -> Authentication -> AAA Profiles and you should be able to edit the default role of the AAA profile there and assign the "authenticated" role.

---

No. Default roles for 802.1x can only be configured with PEFNG license. Also there is no "authenticated" role and I cannot add a role without PEFNG license either...

Surely there´s a role with allowall in it even without PEFNG, and I´m pretty sure it´s the role called "authenticated". Change the "Initial role" to this unrestricted role and you should be ready to go.

 

Cheers,

There is no role authenticated nor do I want to assign it as initial role. Initial role is always logon for 802.1x profiles and it always assigns guest after successful authentication.

But it seems that's how it's supposed to be. After my 2nd try from scratch it is actually working. I guess the empty acl for the guest role is simply ignored when there is no firewall license installed.

I am not sure why it worked the second time as I am pretty sure I did everything exactly in the same way.

It's working even though in part it's ugly without the license as some configuration implicitly sets roles and acls into the configuration even though you cannot change it, e.g. the captive portal authentication...