Cisco Wireless LAN Controller Configuration Guide, Release 7.5
Configuring AAA Override
Downloads: This chapterpdf (PDF - 1.3MB) The complete bookPDF (PDF - 17.88MB) | The complete bookePub (ePub - 4.41MB) | Feedback

Configuring AAA Override

Configuring AAA Override

Information About AAA Override

The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server.

AAA Override for IPv6 ACLs

In order to support centralized access control through a centralized AAA server such as the Cisco Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override attributes. In order to use this feature, the IPv6 ACL must be configured on the controller and the WLAN must be configured with the AAA Override feature enabled. The actual named AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name, which is similar to the Airespace-ACL-Name attribute that is used for provisioning an IPv4-based ACL. The AAA attribute returned contents should be a string equal to the name of the IPv6 ACL as configured on the controller.


Note


From Release 7.5, the upstream AAA override rate limiting value is same as the downstream AAA override rate limiting value.

Restrictions for AAA Override

  • If a client moves to a new interface due to the AAA override and then you apply an ACL to that interface, the ACL does not take effect until the client reauthenticates. To work around this issue, apply the ACL and then enable the WLAN so that all clients connect to the ACL that is already configured on the interface, or disable and then reenable the WLAN after you apply the interface so that the clients can reauthenticate.
  • If the ACL returned from the AAA server does not exist on the controller or if the ACL is configured with an incorrect name, then the clients are not allowed to be authenticated.
  • With FlexConnect local switching, Multicast is forwarded only for the VLAN that the SSID is mapped to and not to any overridden VLANs.
  • When the interface group is mapped to a WLAN and clients connect to the WLAN, the client does not get the IP address in a round robin fashion. The AAA override with interface group is supported.
  • Most of the configuration for allowing AAA override is done at the RADIUS server, where you should configure the Access Control Server (ACS) with the override properties you would like it to return to the controller (for example, Interface-Name, QoS-Level, and VLAN-Tag).
  • On the controller, enable the Allow AAA Override configuration parameter using the GUI or CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.
  • During Layer2 authentication if AAA override is enabled, local policies are not applied and the override takes precedence.

Updating the RADIUS Server Dictionary File for Proper QoS Values

If you are using a Steel-Belted RADIUS (SBR), FreeRadius, or similar RADIUS server, clients may not obtain the correct QoS values after the AAA override feature is enabled. For these servers, which allow you to edit the dictionary file, you need to update the file to reflect the proper QoS values: Silver is 0, Gold is 1, Platinum is 2, and Bronze is 3. To update the RADIUS server dictionary file, follow these steps:


Note


This issue does not apply to the Cisco Secure Access Control Server (ACS).


To update the RADIUS server dictionary file, follow these steps:

  1. Stop the SBR service (or other RADIUS service).
  2. Save the following text to the Radius_Install_Directory\Service folder as ciscowlan.dct:
    
    ################################################################################
    # CiscoWLAN.dct- Cisco Wireless Lan Controllers
    #
    # (See README.DCT for more details on the format of this file)
    ################################################################################
    
    # Dictionary - Cisco WLAN Controllers
    #
    # Start with the standard Radius specification attributes
    #
    @radius.dct
    #
    # Standard attributes supported by Airespace
    #
    # Define additional vendor specific attributes (VSAs)
    #
    
    MACRO Airespace-VSA(t,s) 26 [vid=14179 type1=%t% len1=+2 data=%s%]
    
    ATTRIBUTE   WLAN-Id                 Airespace-VSA(1, integer)     cr
    ATTRIBUTE   Aire-QoS-Level 	 	 	 	 	Airespace-VSA(2, integer)     r
    VALUE Aire-QoS-Level Bronze 	 		3
    VALUE Aire-QoS-Level Silver     0
    VALUE Aire-QoS-Level Gold       1
    VALUE Aire-QoS-Level Platinum   2
    
    ATTRIBUTE   DSCP                    Airespace-VSA(3, integer)     r
    ATTRIBUTE   802.1P-Tag              Airespace-VSA(4, integer)     r
    ATTRIBUTE   Interface-Name          Airespace-VSA(5, string)      r
    ATTRIBUTE   ACL-Name                Airespace-VSA(6, string)      r
    
    # This should be last.
    
    ################################################################################
    # CiscoWLAN.dct - Cisco WLC dictionary
    ##############################################################################

    
  3. Open the dictiona.dcm file (in the same directory) and add the line “@ciscowlan.dct.”
  4. Save and close the dictiona.dcm file.
  5. Open the vendor.ini file (in the same directory) and add the following text:
    
    vendor-product       = Cisco WLAN Controller
    dictionary           = ciscowlan
    ignore-ports         = no
    port-number-usage    = per-port-type
    help-id 		 	 	 	     = 

    
  6. Save and close the vendor.ini file.
  7. Start the SBR service (or other RADIUS service).
  8. Launch the SBR Administrator (or other RADIUS Administrator).
  9. Add a RADIUS client (if not already added). Choose Cisco WLAN Controller from the Make/Model drop-down list.

Configuring AAA Override (GUI)


    Step 1   Choose WLANs to open the WLANs page.
    Step 2   Click the ID number of the WLAN that you want to configure. The WLANs > Edit page appears.
    Step 3   Choose the Advanced tab.
    Step 4   Select the Allow AAA Override check box to enable AAA override or unselect it to disable this feature. The default value is disabled.
    Step 5   Click Apply.
    Step 6   Click Save Configuration.

    Configuring AAA Override (CLI)

    • Configure override of user policy through AAA on a WLAN by entering this command: config wlan aaa-override {enable | disable} wlan-id

      For wlan-id, enter a value between 1 and 16.

    • Configure debugging of 802.1X AAA interactions by entering this command: debug dot1x aaa {enable | disable}

    • Configure debugging of AAA QoS override by entering this command: debug ap aaaqos-dump {enable | disable}