14-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter14 Configuring VLANs
Configuring VLANs
Use the no form of the command to remove the name from the VLAN. Use the show dot11 vlan-name
privileged EXEC command to list all the VLAN name and ID pairs configured on the access point.
Using a RADIUS Server to Assign Users to VLANs
You can configure your RADIUS authentication server to assign users or groups of users to a specific
VLAN when they authenticate to the network.
Note Unicast and multicast cipher suites advertised in WPA or RSN Information Element information element
(and negotiated during 802.11 association) may potentially mismatch with the cipher suite supported in
an explicitly assigned VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher
suite from the previously negotiated cipher suite, there is no way for the access point and client to switch
back to the new cipher suite. Currently, WPA, WPA2 and CCKM protocols do not allow the cipher suite
to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is
disassociated from the wireless LAN.
The VLAN-mapping process consists of these steps:
1. A client device associates to the access point using any SSID configured on the access point.
2. The client begins RADIUS authentication.
3. When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN,
regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the
server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified
by the SSID mapped locally on the access point.
These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common
tag value between 1 and 31 to identify the grouped relationship.
IETF 64 (Tunnel Type): Set this attribute to VLAN
IETF 65 (Tunnel Medium Type): Set this attribute to 802
IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id
Viewing VLANs Configured on the Access Point
In privileged EXEC mode, use the show vlan command to view the VLANs that the access point
supports. This is sample output from a show vlan command:
Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0
Dot11Radio1
GigabitEthernet0
Protocols Configured: Address: Received: Transmitted:
Step3 end Return to privileged EXEC mode.
Step4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose