per user VLAN Issue

Upendra
Here to help

per user VLAN Issue

Hello.

I have connected MR 53 AP to the uplink and the authentication type is Radius server.

 

Issue is When a User(listed in radius server) try to connect to the AP(SSID), the particular user getting IP from native VLAN instead of getting from the user specified VLAN(per user VLAN).

 

(outcome should be like if the user connects to the AP, user should get a IP from the VLAN specified to that user)

Please help with this issue ASAP.....

 

Thank You

9 REPLIES 9
ww
Kind of a big deal
Kind of a big deal

what type are u using?

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging#Per-User_VLAN_Taggin...

A per-user VLAN tag can be applied in 3 different ways:

  1. The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
     
  2. The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
     
  3. On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.  

all vlans are on the trunk?

all dhcp scopes are present?

did you make a wireshark capture on the uplink and check the radius server that its sending the correct attributes?

Upendra
Here to help

Yes Sir,

All VLANs are in Trunk port and Dhcp scopes are present..

ww
Kind of a big deal
Kind of a big deal

did you configure to allow radius override?

does the RADIUS attribute match on the ap side and the radius server side? and is this really send to the ap?

Upendra
Here to help

override configure means i have just enabled the option( radius response can override vlan tag.)

and i have not added any radius attribute to the AP.

 

 

ww
Kind of a big deal
Kind of a big deal

and your radius is sending this? 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_...

and did you verify this attributes are send in the packet?

 

Upendra
Here to help

sir, the thing is i have not created any radius server. i have just installed a HP IMC application in Windows Server 2008 R2.

in IMC i have created users so previously when a user connects to ssid the AP checks the username and confirms with radius server means HP IMC and gives the particular VLAN IP. \

BUT 

When i Try this whole activity with Meraki AP its not working.

Upendra
Here to help

sir, the thing is i have not created any radius server. i have just installed a HP IMC application in Windows Server 2008 R2.

in IMC i have created users so previously when a user connects to ssid the AP checks the username and confirms with radius server means HP IMC and gives the particular VLAN IP. 

BUT 

When i Try this whole activity with Meraki AP its not working.

There are tottally 4 VLANS in HP switch, and its a trunk port i have connected to my MR 53.
WilliamQin
Getting noticed

The following questions are the preconditions

1. Native VLAN and wireless user vlan gateway normal.  Dhcp normal,

2. connect  AP switch port is Trunk, set native vlan,  ap can online.  

3.clould manage set SSID vlan tag  wireless user vlan, configure Radius server,

 

if you still have issues, please check  you dhcp or Trunk link, vlan tag,  Meraki Cloud sync. 

 

i hope helpful to you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels