Configuring Aaa Override; Updating The Radius Server Dictionary File For Proper Qos Values - Cisco 2100 Series Configuration Manual

Configuring Identity Networking

Configuring AAA Override

The Allow AAA Override option of a WLAN allows you to configure the WLAN for identity
networking. It allows you to apply VLAN tagging, QoS, and ACLs to individual clients based on the
returned RADIUS attributes from the AAA server.
Note If a client moves to a new interface due to the AAA override and then you apply an ACL to that interface,
the ACL does not take effect until the client reauthenticates. To work around this issue, apply the ACL
and then enable the WLAN so that all clients connect to the ACL already configured on the interface, or
disable and then re-enable the WLAN after you apply the interface so that the clients can reauthenticate.
Most of the configuration for allowing AAA override is done at the RADIUS server, where you should
configure the Access Control Server (ACS) with the override properties you would like it to return to the
controller (for example, Interface-Name, QoS-Level, and VLAN-Tag).
On the controller, simply enable the Allow AAA Override configuration parameter using the GUI or
CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS
server. The controller then applies these attributes to its clients.

Updating the RADIUS Server Dictionary File for Proper QoS Values

If you are using a Steel-Belted RADIUS (SBR), FreeRadius, or similar RADIUS server, clients may not
obtain the correct QoS values after the AAA override feature is enabled. For these servers, which allow
you to edit the dictionary file, you need to update the file to reflect the proper QoS values: Silver = 0,
Gold = 1, Platinum = 2, and Bronze = 3. Follow the steps below to do so.
This issue does not apply to the Cisco Secure Access Control Server (ACS).
Note
Stop the SBR service (or other RADIUS service).
Step 1
Save the following text to the Radius_Install_Directory\Service folder as ciscowlan.dct:
Step 2
################################################################################
# CiscoWLAN.dct- Cisco Wireless Lan Controllers
#
# (See README.DCT for more details on the format of this file)
################################################################################
# Dictionary - Cisco WLAN Controllers
#
# Start with the standard Radius specification attributes
#
@radius.dct
#
# Standard attributes supported by Airespace
#
# Define additional vendor specific attributes (VSAs)
#
MACRO Airespace-VSA(t,s) 26 [vid=14179 type1=%t% len1=+2 data=%s%]
ATTRIBUTE
ATTRIBUTE
VALUE Aire-QoS-Level Bronze
VALUE Aire-QoS-Level Silver
Cisco Wireless LAN Controller Configuration Guide
5-78
WLAN-Id
Aire-QoS-Level
3
0
Airespace-VSA(1, integer)
Airespace-VSA(2, integer)
Chapter 5 Configuring Security Solutions
cr
r
OL-17037-01