08-21-2011 12:50 PM - edited 07-03-2021 08:36 PM
Hi,
Does anyone know if it is possible to change the source address for aaa authentication requests leaving Wism to the server ? I need to have these requests leave from an address not on the same subnet as the management or ap management interfaces.
Stu
08-21-2011 03:00 PM
So far as I know there is know way to do this. All requests will come from the management address. But, what are you looking to do that you need it from another address?
Sent from Cisco Technical Support iPad App
08-22-2011 12:50 AM
Hi Stephan, Thanks for your consideration in this.
We have to monitor and manage the WIFI network on a particular subnet due to global firewall rules and routing. At a particular site, client authentication is by X.509 certificates installed on the client laptops and we need to authenticate on a server from a different subnet from the Management network.
So I guess we want to access the WLC on two different subnets, one for pure management and only management, the other for user traffic and user authentication, but I see Cisco recommend the AP manager and Management IP be on the same subnet, so I need to find is there a way to have a second routed interface otherthan the management or ap manager interfaces.
Stu
08-22-2011 04:34 AM
So what you need to do is create a dynamic interface for the VLAN you want the clients on. This will ut them I. A different VLAN than the management, and allow you to apply rules for what they can access.
Sent from Cisco Technical Support iPad App
08-22-2011 07:49 AM
Hi Again Stephan,
Isn’t the first hop for the client authentication sourced from the Management Interface , ie the client authentication is received on the WLC on the dynamic interface, but then authentication request is sent out of the Management Interface towards the authentication server ?
Stu
08-22-2011 08:08 AM
I have some more concise wording …
“The management interface is the default interface for in-band management of the controller and
connectivity to enterprise services such as AAA server. If the service port is in use, the management
interface must be on a different subnet than the service port.”
From :
Configuring a Cisco Wireless Services Module
and Wireless Control System
Is it possible to change the default interface used for AAA to a different interface ? So I can have a separate layer 3 interface used to connect to the enterprise ?
Stu
08-22-2011 06:09 PM
No. The wlc will always use the mgmt interface for the AAA packets. But this does not mean you can't have a separate dynamic interface for the users. If you absolutely have to physically connect to different ports, this can be done as well, you just can't use LAG and need to specify which port the Interrace is going to be mapped to. Otherwise you just need to create dynamic interfaces for the users and allow those clans on the port from the switch
Sent from Cisco Technical Support iPad App
08-23-2011 01:03 AM
This seems like the solution we require, thankyou.
STu
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: