topic Guest Wireless LAN - 802.1x local database in Wireless

Guest Wireless LAN - 802.1x local database

simon.bentley — Sun, 04 Jul 2021 05:45:07 GMT

We currently have a Guest Wireless LAN using Web Authentication located on a WLC within our DMZ, is it possible to create an additional Guest Wireless LAN with 802.1x authentication using the local users DB on the WLC within the DMZ? We have 3 additional WLC's located within the corporate infrastructure.

Re: Guest Wireless LAN - 802.1x local database

Scott Fella — Tue, 02 Oct 2012 11:47:02 GMT

Yes you can. If the SSID's are going to be the same, then you need to have the profile name different. If your doing 802.1x with website then no. You can't have a layer 2 encryption defined and also have a layer 3 (WebAuth). You can have multiple WebAuth with different pages too.

Makes sense

Sent from Cisco Technical Support iPhone App

Guest Wireless LAN - 802.1x local database

simon.bentley — Tue, 30 Oct 2012 16:45:22 GMT

If I configure an additional SSID and use layer 2 authentication (WPA/WPA2) it appears that the authentication is done on the WLC within the network and not the WLC within the DMZ, I can authenticate using my domain account but not the local account on the DMZ WLC. What am I doing wrong?

Guest Wireless LAN - 802.1x local database

Saravanan Lakshmanan — Tue, 30 Oct 2012 18:32:19 GMT

802.1x + webauth possible enabling conditonal webauth

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wp1129600

Guest Wireless LAN - 802.1x local database

simon.bentley — Wed, 31 Oct 2012 09:14:00 GMT

I just want to perform WPA/WPA2 authentication/encryption on another Guest Wireless LAN though withour Web Authentication, its this that does not seem possible?

Guest Wireless LAN - 802.1x local database

Saravanan Lakshmanan — Wed, 31 Oct 2012 13:06:57 GMT

yes it is possible. L2 encryption is configured on internal/foreign wlc. on anchor map this wlan to guest interface.

Guest Wireless LAN - 802.1x local database

simon.bentley — Wed, 31 Oct 2012 14:19:47 GMT

I have configured WPA on both the internal WLC and the WLC in the DMZ, the authentication only only seems to occur on the internal WLC and not the WLC in the DMZ. This is the issue I am having.

Guest Wireless LAN - 802.1x local database

Saravanan Lakshmanan — Wed, 31 Oct 2012 15:01:08 GMT

Yes WPA encryption/decryption happens only on internal WLC side, once the client connecting AP decrypts the packet, it sent to anchor via internal wlc unencrypted. All L2 functions happens at internal while L3 functions are handled by anchor irrespective of static/dynamic anchor.

Guest Wireless LAN - 802.1x local database

Scott Fella — Wed, 31 Oct 2012 15:08:03 GMT

Simon,

Just to note what Saravanan mentioned, the reason the authentication (layer 2) happens on the internal WLC, is that the AP's the clients or device is associating to is connected to the internal WLC not the Guest WLC. So your layer 2 happens in your internal or foreign WLC and like Saravanan mentioned, is then tunneled or anchored to the Guest WLC for layer 3 webauth. It is not possible to have the Guest WLC perform the layer 2 if that is what your trying to accomplish.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Guest Wireless LAN - 802.1x local database

simon.bentley — Wed, 31 Oct 2012 15:15:31 GMT

Thanks guys. Now all is clear.