Criticial VLAN for Wireless Users

jorjes1984 · ‎04-14-2011

Hi

I have a setup were all users (LAN & WIRELESS) Are being authenticated using Dot1x with ACS

In case of ACS failure (without a secondary one), I know i can configure the switch port on the LAN to have a critical VLAN, so in case ACS was detected as Dead, a new user being authenticated is assigned to the Critical VLAN,

Is there any Similar solutions for users connecting through the wireless connection? Can we do a critical VLAN in case of ACS Failure, or anything similar to it? knowing that there is a WLC in the setup with Light weight access points.

Thanks

Best regards,

Bastien Migette · ‎04-15-2011

Hello,

Since in wireless network, the Radius server has an active part in the encryption key derivation, the WLC can't just grant network access to the end client when the radius server is down, as the client wouldn't have the necessary keying material (nor the WLC as well).

The best option would be to either have multiple radius servers, or to make the WLC act as a radius server and use it as a backup method, so that if your radius server is down, your WLC will handle the radius request and generate the keying material. The issue is that you will need to have a consistent user database on the WLC.

The easiest way would be to have a separate SSID with legacy WPA/WPA2 that are pre configured on clients computer, and allow network access to this SSID only when the primary SSID with Dot1x is down. This can be done manually, or on the layer 3 gateway using PBR/EEM...

For example with PBR, you can set output interface to null0 from traffic originating from the WPA SSID, only of Radius server is reachable, otherwise let the traffic flow.