IAS (802.1X) / DHCP / SSID / Active Directory Scenario

Hi all,

I had the following scenario but had try some ways and still not working.
Appreciate some feedback.



I had the following configuration:



2 DHCP scope:

Scope 1 is for VLAN 1 - auto assign IP 10.1.1.x

Scope 2 is for VLAN 10 - auto assign IP 10.1.10.x



Active Directory:

user 1 is member to group 1 only

user 2 is member to group 2 only



IAS:

Client created and point to my wireless controller.

Remote policy had been created for vlan 1 and vlan 10.



SSID:

1 staff SSID



How connection is setup:

My AP is connect to a wireless controller and connect to a CORE switch. The
Server with DHCP service, IAS service and Active Directory Service is connect
to the CORE switch.





Working Scenario:

My wireless client connect to staff SSID and type in user1 password and is
able to get auth with 802.1X and been assigned with an IP 10.1.1.1.





Not Working Scenario:

When my user 1 log in, it not getting the IP from Scope 2, instead, it was
getting the Scope 1 IP. May I know how can I solve this issue? My objection
is when user 1 logged in, he will get scope 1 IP and when user 2 logged in,
he will get scope 2 IP.



Daniel

No one can assist?

"Daniel" wrote:

> Hi all,
>
> I had the following scenario but had try some ways and still not working.
> Appreciate some feedback.
>
>
>
> I had the following configuration:
>
>
>
> 2 DHCP scope:
>
> Scope 1 is for VLAN 1 - auto assign IP 10.1.1.x
>
> Scope 2 is for VLAN 10 - auto assign IP 10.1.10.x
>
>
>
> Active Directory:
>
> user 1 is member to group 1 only
>
> user 2 is member to group 2 only
>
>
>
> IAS:
>
> Client created and point to my wireless controller.
>
> Remote policy had been created for vlan 1 and vlan 10.
>
>
>
> SSID:
>
> 1 staff SSID
>
>
>
> How connection is setup:
>
> My AP is connect to a wireless controller and connect to a CORE switch. The
> Server with DHCP service, IAS service and Active Directory Service is connect
> to the CORE switch.
>
>
>
>
>
> Working Scenario:
>
> My wireless client connect to staff SSID and type in user1 password and is
> able to get auth with 802.1X and been assigned with an IP 10.1.1.1.
>
>
>
>
>
> Not Working Scenario:
>
> When my user 1 log in, it not getting the IP from Scope 2, instead, it was
> getting the Scope 1 IP. May I know how can I solve this issue? My objection
> is when user 1 logged in, he will get scope 1 IP and when user 2 logged in,
> he will get scope 2 IP.
>

=?Utf-8?B?RGFuaWVs?= <(E-Mail Removed)> wrote in
news:CA002C9B-8D9C-4955-B0FA-(E-Mail Removed):

> No one can assist?
>
> "Daniel" wrote:
>
>> Hi all,
>>
>> I had the following scenario but had try some ways and still not
>> working. Appreciate some feedback.
>>
>>
>>
>> I had the following configuration:
>>
>>
>>
>> 2 DHCP scope:
>>
>> Scope 1 is for VLAN 1 - auto assign IP 10.1.1.x
>>
>> Scope 2 is for VLAN 10 - auto assign IP 10.1.10.x
>>
>>
>>
>> Active Directory:
>>
>> user 1 is member to group 1 only
>>
>> user 2 is member to group 2 only
>>
>>
>>
>> IAS:
>>
>> Client created and point to my wireless controller.
>>
>> Remote policy had been created for vlan 1 and vlan 10.
>>
>>
>>
>> SSID:
>>
>> 1 staff SSID
>>
>>
>>
>> How connection is setup:
>>
>> My AP is connect to a wireless controller and connect to a CORE
>> switch. The Server with DHCP service, IAS service and Active
>> Directory Service is connect to the CORE switch.
>>
>>
>>
>>
>>
>> Working Scenario:
>>
>> My wireless client connect to staff SSID and type in user1 password
>> and is able to get auth with 802.1X and been assigned with an IP
>> 10.1.1.1.
>>
>>
>>
>>
>>
>> Not Working Scenario:
>>
>> When my user 1 log in, it not getting the IP from Scope 2, instead,
>> it was getting the Scope 1 IP. May I know how can I solve this issue?
>> My objection is when user 1 logged in, he will get scope 1 IP and
>> when user 2 logged in, he will get scope 2 IP.
>>
>

You need two remote access policies, each of which is based on Windows
Group membership; you also need to configure the remote access policies
with VLAN information according to the paper "Deploying Windows Server 2003
Internet Authentication Service (IAS) with Virtual Local Area Networks
(VLANs)" at
http://www.microsoft.com/downloads/d...C9ED3609-49FC-
439B-92F4-266B187CAE5A&displaylang=en

And you need to create the VLANs on the wireless controller, since it is
the RADIUS client -- so it must be able to receive the VLAN information
from IAS, then assign the connection to a specific VLAN.

Then when the wireless controller opens the 802.1X port (after
authentication) for the VLAN, the client broadcasts a DHCP address request.
DHCP bases the address assignment on the wireless controller IP address --
so hopefully the wireless controller has multiple physical ports and you
can map the IP address for the physical port to the VLAN and DHCP scope
that way.

If the wireless controller does not have the ability to be configured with
multiple IP addresses, then it might be possible to configure the switch as
the RADIUS client, if it is a Layer 3 switch that supports 802.1X, EAP, and
VLANs.


--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.