Cisco dynamic vlan assignment does not work anymore when using WPA2

[Dick Visser <visser@xxxxxxxxxx>]

Hi guys

I am trying to reconfigure our Cisco AP to do WPA2.
Our current setup is using WEP, and based on the Tunnel-Private-Group-ID
my TERENA users get put into vlan 4 (office) and everybody else into
vlan 6 (guests). This vlan is also the native vlan.

This all works fine with WEP.

However, if I change the encryption to WPA2, everything *seems* to work
fine, accept that everybody gets put into the native vlan (6).
Even though our Radius server gives back exactly the same attributes
(vlan id 4).


So, this works:



dot11 ssid eduroam
   vlan 6
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 4 key 1 size 40bit 7 hackme transmit-key
 encryption vlan 4 mode wep mandatory
 !
 encryption vlan 6 key 1 size 40bit 7 hackme transmit-key
 encryption vlan 6 mode wep mandatory
 !
 ssid eduroam



And this doesn't:



dot11 ssid eduroam
   vlan 6
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa optional
   guest-mode
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 4 mode ciphers aes-ccm tkip wep128
 !
 encryption vlan 6 mode ciphers aes-ccm tkip wep128
 !
 broadcast-key vlan 4 change 600 membership-termination capability-change
 !
 broadcast-key vlan 6 change 600 membership-termination capability-change
 !
 !
 ssid eduroam



Any ideas?



-- 
Dick Visser
TERENA IT Support Officer

TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
T +31 20 530 44 88 F +31 20 530 44 99
visser@xxxxxxxxxx | www.terena.org