The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server.
AAA Override for IPv6 ACLs
In order to support centralized access control through a centralized AAA server such as the Cisco Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override attributes. In order to use this feature, the IPv6 ACL must be configured on the controller and the WLAN must be configured with the AAA Override feature enabled. The client will be de-authenticated if the ACL is not preconfigured on the controller. The actual named AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name, which is similar to the Airespace-ACL-Name attribute that is used for provisioning an IPv4-based ACL. The AAA attribute returned contents should be a string equal to the name of the IPv6 ACL as configured on the controller.
Note | From Release 7.5, the upstream AAA override rate limiting value is same as the downstream AAA override rate limiting value. |
If a client moves to a new interface due to the AAA override and then you apply an ACL to that interface, the ACL does not take effect until the client reauthenticates. To work around this issue, apply the ACL and then enable the WLAN so that all clients connect to the ACL that is already configured on the interface, or disable and then reenable the WLAN after you apply the interface so that the clients can reauthenticate.
If the ACL returned from the AAA server does not exist on the controller or if the ACL is configured with an incorrect name, then the clients are not allowed to be authenticated.
With FlexConnect local switching, Multicast is forwarded only for the VLAN that the SSID is mapped to and not to any overridden VLANs. Therefore, IPv6 does not work as expected because Multicast traffic is forwarded from the incorrect VLAN.
When the interface group is mapped to a WLAN and clients connect to the WLAN, the client does not get the IP address in a round robin fashion. The AAA override with interface group is supported.
Most of the configuration for allowing AAA override is done at the RADIUS server, where you should configure the Access Control Server (ACS) with the override properties you would like it to return to the controller (for example, Interface-Name, QoS-Level, and VLAN-Tag).
On the controller, enable the Allow AAA Override configuration parameter using the GUI or CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.
During Layer2 authentication if AAA override is enabled, local policies are not applied and the override takes precedence.
Cisco TrustSec security group tag is not applied until you enable AAA override on a WLAN.
If you are using a Steel-Belted RADIUS (SBR), FreeRadius, or similar RADIUS server, clients may not obtain the correct QoS values after the AAA override feature is enabled. For these servers, which allow you to edit the dictionary file, you need to update the file to reflect the proper QoS values: Silver is 0, Gold is 1, Platinum is 2, and Bronze is 3. To update the RADIUS server dictionary file, follow these steps:
Note | This issue does not apply to the Cisco Secure Access Control Server (ACS). |
To update the RADIUS server dictionary file, follow these steps:
Save the following text to the Radius_Install_Directory\Service folder as ciscowlan.dct:
################################################################################ # CiscoWLAN.dct- Cisco Wireless Lan Controllers # # (See README.DCT for more details on the format of this file) ################################################################################ # Dictionary - Cisco WLAN Controllers # # Start with the standard Radius specification attributes # @radius.dct # # Standard attributes supported by Airespace # # Define additional vendor specific attributes (VSAs) # MACRO Airespace-VSA(t,s) 26 [vid=14179 type1=%t% len1=+2 data=%s%] ATTRIBUTE WLAN-Id Airespace-VSA(1, integer) cr ATTRIBUTE Aire-QoS-Level Airespace-VSA(2, integer) r VALUE Aire-QoS-Level Bronze 3 VALUE Aire-QoS-Level Silver 0 VALUE Aire-QoS-Level Gold 1 VALUE Aire-QoS-Level Platinum 2 ATTRIBUTE DSCP Airespace-VSA(3, integer) r ATTRIBUTE 802.1P-Tag Airespace-VSA(4, integer) r ATTRIBUTE Interface-Name Airespace-VSA(5, string) r ATTRIBUTE ACL-Name Airespace-VSA(6, string) r # This should be last. ################################################################################ # CiscoWLAN.dct - Cisco WLC dictionary ##############################################################################
Open the dictiona.dcm file (in the same directory) and add the line “@ciscowlan.dct.”
Open the vendor.ini file (in the same directory) and add the following text:
vendor-product = Cisco WLAN Controller dictionary = ciscowlan ignore-ports = no port-number-usage = per-port-type help-id =
Launch the SBR Administrator (or other RADIUS Administrator).
Add a RADIUS client (if not already added). Choose Cisco WLAN Controller from the Make/Model drop-down list.
Configure override of user policy through AAA on a WLAN by entering this command: config wlan aaa-override {enable | disable} wlan-id
For wlan-id, enter a value between 1 and 16.
Configure debugging of 802.1X AAA interactions by entering this command: debug dot1x aaa {enable | disable}
Configure debugging of AAA QoS override by entering this command: debug ap aaaqos-dump {enable | disable}