Configuring AAA Override

AAA Override

The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server.

Most of the configuration to allow AAA override is done at the RADIUS server, where you should configure the Access Control Server (ACS) with the override properties you would like it to return to the controller (for example, Interface-Name, QoS-Level, and VLAN-Tag).

On the controller, enable the Allow AAA Override configuration parameter using the GUI or CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.

This section contains the following subsections:

Restrictions for AAA Override

  • If a client moves to a new interface due to the AAA override and then you apply an ACL to that interface, the ACL does not take effect until the client reauthenticates. To work around this issue, apply the ACL and then enable the WLAN so that all clients connect to the ACL that is already configured on the interface, or disable and then reenable the WLAN after you apply the interface so that the clients can reauthenticate.

  • If the ACL returned from the AAA server does not exist on the controller or if the ACL is configured with an incorrect name, then the clients are not allowed to be authenticated.

  • With FlexConnect local switching, Multicast is forwarded only for the VLAN that the SSID is mapped to and not to any overridden VLANs. Therefore, IPv6 does not work as expected because Multicast traffic is forwarded from the incorrect VLAN. Use the following command to have multicast traffic forwarded for the overridden VLAN:

    config flexconnect group group-name multicast overridden-interface enable

  • Most of the configuration for allowing AAA override is done at the RADIUS server, where you should configure the Access Control Server (ACS) with the override properties you would like it to return to the controller (for example, Interface-Name, QoS-Level, and VLAN-Tag).

  • On the controller, enable the Allow AAA Override configuration parameter using the GUI or CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.

Updating the RADIUS Server Dictionary File for Proper QoS Values

If you are using a Steel-Belted RADIUS (SBR), FreeRadius, or similar RADIUS server, clients may not obtain the correct QoS values after the AAA override feature is enabled. For these servers, which allow you to edit the dictionary file, you need to update the file to reflect the proper QoS values: Silver is 0, Gold is 1, Platinum is 2, and Bronze is 3. To update the RADIUS server dictionary file, follow these steps:


Note

This issue does not apply to the Cisco Secure Access Control Server (ACS).

To update the RADIUS server dictionary file, follow these steps:

  1. Stop the SBR service (or other RADIUS service).

  2. Save the following text to the Radius_Install_Directory\Service folder as ciscowlan.dct: 

    
################################################################################
# CiscoWLAN.dct- Cisco Wireless Lan Controllers
#
# (See README.DCT for more details on the format of this file)
################################################################################

# Dictionary - Cisco WLAN Controllers
#
# Start with the standard Radius specification attributes
#
@radius.dct
#
# Standard attributes supported by Airespace
#
# Define additional vendor specific attributes (VSAs)
#

MACRO Airespace-VSA(t,s) 26 [vid=14179 type1=%t% len1=+2 data=%s%]

ATTRIBUTE   WLAN-Id                 Airespace-VSA(1, integer)     cr
ATTRIBUTE   Aire-QoS-Level 	 	 	 	 	Airespace-VSA(2, integer)     r
VALUE Aire-QoS-Level Bronze 	 		3
VALUE Aire-QoS-Level Silver     0
VALUE Aire-QoS-Level Gold       1
VALUE Aire-QoS-Level Platinum   2

ATTRIBUTE   DSCP                    Airespace-VSA(3, integer)     r
ATTRIBUTE   802.1P-Tag              Airespace-VSA(4, integer)     r
ATTRIBUTE   Interface-Name          Airespace-VSA(5, string)      r
ATTRIBUTE   ACL-Name                Airespace-VSA(6, string)      r

# This should be last.

################################################################################
# CiscoWLAN.dct - Cisco WLC dictionary
##############################################################################


  3. Open the dictiona.dcm file (in the same directory) and add the line “@ciscowlan.dct.”

  4. Save and close the dictiona.dcm file.

  5. Open the vendor.ini file (in the same directory) and add the following text: 

    
vendor-product       = Cisco WLAN Controller
dictionary           = ciscowlan
ignore-ports         = no
port-number-usage    = per-port-type
help-id 		 	 	 	     = 


  6. Save and close the vendor.ini file.

  7. Start the SBR service (or other RADIUS service).

  8. Launch the SBR Administrator (or other RADIUS Administrator).

  9. Add a RADIUS client (if not already added). Choose Cisco WLAN Controller from the Make/Model drop-down list.

Configuring AAA Override (GUI)

Procedure

Step 1

Choose WLANs to open the WLANs page.

Step 2

Click the ID number of the WLAN that you want to configure. The WLANs > Edit page appears.

Step 3

Choose the Advanced tab.

Step 4

Select the Allow AAA Override check box to enable AAA override or unselect it to disable this feature. The default value is disabled.

Step 5

Click Apply.

Step 6

Click Save Configuration.

Configuring AAA Override (CLI)

Procedure

  • Configure override of user policy through AAA on a WLAN by entering this command:

    config wlan aaa-override {enable | disable} wlan-id

    For wlan-id , enter a value between 1 and 16.

  • Configure debugging of 802.1X AAA interactions by entering this command:

    debug dot1x aaa {enable | disable}