https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583277#M46707 <HTML><HEAD></HEAD><BODY><P>Authentication requests are sent from the management interface always.</P><P></P><P>I'm not sure if there is any point in doing what you are looking for. The guest user authentication is an encrypted (chap) authentication request going to your radius server. What is dangerous about putting that in your internal VLAN ? It's the WLC sending the radius request, not the client. The only traffic that the client will ever be able to send is through your untrusted vlan.</P><P></P><P>Nicolas</P></BODY></HTML> Mon, 14 Mar 2011 06:40:12 GMT Nicolas Darchis 2011-03-14T06:40:12Z https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583276#M46706 <P>Hi</P><P></P><P>We have a requirement to provide 802.1X certificate authentication for internal users and web authentication to guest users.</P><P></P><P>The certificate server will be on an internal trusted network where the internal employee get mapped to the internal VLAN.</P><P></P><P>Guest users will map to an untrusted VLAN once authenticated using web auth then will be able to access the Internet.</P><P></P><P>My question is that I would like the internal authentication requirest to go to the internal server and route via an internal</P><P>trusted VLAN and the guest user web auth authentication to route via the untrusted VLAN to the guest server on the</P><P>untrusted network.</P><P></P><P>Can anyone confirm if this is possible or is all authentication sourced from the management interface IP address.</P><P></P><P>Appreciate any help on this.</P> Sun, 04 Jul 2021 02:56:47 GMT https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583276#M46706 billsayegh 2021-07-04T02:56:47Z https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583277#M46707 <HTML><HEAD></HEAD><BODY><P>Authentication requests are sent from the management interface always.</P><P></P><P>I'm not sure if there is any point in doing what you are looking for. The guest user authentication is an encrypted (chap) authentication request going to your radius server. What is dangerous about putting that in your internal VLAN ? It's the WLC sending the radius request, not the client. The only traffic that the client will ever be able to send is through your untrusted vlan.</P><P></P><P>Nicolas</P></BODY></HTML> Mon, 14 Mar 2011 06:40:12 GMT https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583277#M46707 Nicolas Darchis 2011-03-14T06:40:12Z https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583278#M46708 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Thanks for your response, the guest authentication server will be sitting in a custom hosted environment which is physically in a different location on an unstrusted environment which is accessed via a different VPN than the customers internal VPN.</P><P></P><P>Can we route the authentication traffic via different VLAN based on which authentication server we want to use for a particular SSID.</P><P></P><P>If authentication request are only sent on a single VLAN IE the WLC management VLAN then we would need to do some policy based routing to direct the traffic to each VPN, not ideal.</P><P></P><P>Regards<BR />Bill</P></BODY></HTML> Mon, 14 Mar 2011 23:04:26 GMT https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583278#M46708 billsayegh 2011-03-14T23:04:26Z https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583279#M46709 <HTML><HEAD></HEAD><BODY><P>As you are stating, you need routing configuration on the infrastructure. The WLC will send out through the management interface to the radius server defined in the SSID.</P></BODY></HTML> Tue, 15 Mar 2011 07:57:33 GMT https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583279#M46709 Nicolas Darchis 2011-03-15T07:57:33Z https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583280#M46710 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Thanks for your reply, I think you have answered the question that all radius authentication is sent out on the management interface, it is then up to the network to direct the traffic to where it needs to go.</P><P></P><P>Regards</P><P>Bill CCIE 3906</P></BODY></HTML> Tue, 15 Mar 2011 22:42:33 GMT https://community.cisco.com/t5/wireless/wlc-authentication-routing/m-p/1583280#M46710 billsayegh 2011-03-15T22:42:33Z