Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
3
Replies

Dynamic Vlan assignment with a Foreign Anchor between 2 organisations.

craiglebutt
Level 4
Level 4

‎07-28-2023 07:49 AM

As a hospital we advertise Eduroam for our Staff via the local University

This has been working great for years.

Now the University that we connect to for Eduroam are going down the SD Access route.

No issues there, except where we both have the same vlan on our own WLCs.

We have 2 vlans in a Interface group and they have the same 2 vlans setup on their side using dynamic vlan assignment.

Because of this, the ISE is carrying out a second Radius look at our WLC and see the vlans which then has an effect on the University side, the policy with the DVA will not apply.

Only way we can avoid is one of use to stop using the same VLAN.

Or is there a smarter way, by specifying WLC it come from in a policy?  I can’t believe we are the only ones who are experiencing this.


Cheers in advance

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎07-29-2023 03:19 PM

I have read your question a few times and can't make much sense of it - I have to read between the lines.

As I understand it, the university hosts the eduroam "anchor" controller, and your organisation is the "foreign" controller. Mobility tunnel between you and university. Eduroam uses 802.1X which means that the RADIUS is performed by the Foreign WLC. 

This means that you should not be concerned with the interfaces on the Anchor controller. 

If you're doing dynamic VLAN assignment on the Foreign WLC, then you can return the name (string) of the Interface Group (and the WLC hashes the client between the members of that group).

I don't understand what the actual concern is? What is a "second Radius look at our WLC" ?

 

0 Helpful

craiglebutt
Level 4
Level 4
In response to Arne Bier

‎07-31-2023 12:25 AM

Hi

The secondary radius look up was from a post, if I read it right. 

https://community.cisco.com/t5/wireless/authentication-in-foreign-anchor-configuration/td-p/2041134

We have 5 WLCs all anchoring to the Uni.  On the Eduroam side, all users are being assigned the correct vlan, except for 1 WLC, as this has the same VLAN ID.

I can look on my 4 of the 5 WLCs and see that they are going over the managment interface and my counterpart in the Uni can see they dropping on to the correct VLAN.

On the 5th, the one that hasthe same VLAN, I can see the devices trying to connect via the local magement  vlan and use the vlan ID on my side, all WLCs are configured the same.  When the endpoint breaks out on the Eduroam side, it doesn't apply the vlan.  They see the endpoint using my management vlan and my local vlan.

Cheers

0 Helpful

Arne Bier
VIP
VIP

‎07-31-2023 03:18 PM

I think this might be a good question for the Wireless Community. From that link you sent, I can't really make out what the Cisco employee means my "local anchor" etc. Perhaps I missed the concept, but if the university is the Eduroam "anchor point" upon which you terminate all 5 of your WLCs (foreign controllers), then the only RADIUS traffic that will flow is from your WLCs to your RADIUS server. The university does not send you any RADIUS auth requests, do they?

0 Helpful
Customers Also Viewed These Support Documents