02-19-2020 05:55 AM - edited 07-05-2021 11:44 AM
Hi, I am trying to get my head round how a WLC works at a basic level and I just cannot figure it out. Can anyone please explain to me the following scenario we have:
An SSID named "Ipad_WLAN' which uses local MAC filtering so doesn't look at ISE at all.
An Interface Group called 'Students' that consists of 10 interfaces (including one called "STUDENT-MAIN").
In the WLANs > Edit 'Ipad_WLAN' section there is a field called 'Interface/Interface Group(G)' which is set to use the 'Students(G)'
Now can somebody please tell me, why use an interface group here (or what's the purpose) when the SSID always associates to the "STUDENT-MAIN" interface?
The same is also true on one of our other SSID's that goes through ISE. It uses the same interface group 'Students(G)' but associates to an interface that's not even in that group!
Please can someone explain this to frustrated noob. Many thanks.
Solved! Go to Solution.
02-24-2020 08:34 AM
02-24-2020 09:21 AM - edited 02-24-2020 10:16 AM
No it will just allow the interface to be overwritten. In this case, the WLC is acting as the AAA server and doing mac auth.
02-25-2020 01:22 AM
02-25-2020 05:27 AM - edited 02-25-2020 05:31 AM
AAA is authentication, accounting, and authorization. When doing local mac auth the WLC is acting as a AAA server doing all three of these functions. AAA override is saying that based on the authorization the AAA server is allowed to override the current config set to the client. Let's say you were not using the local mac database but instead you were using ISE. If ISE sends back an AVP saying to use VLAN x, but you do not have AAA override enabled, the WLC will not accept this change.
If you look at the debug you took you will see the interface is normally applied to the client between the association request and the association response. You will first see it apply the interface on the WLAN then "Applying site-specific" interface which is the AP group. These two actions can only be based on config as the authentication has not happened yet. Then, still before the assoc response, you should see something close to "USE LOCALDB THEN RADIUS security policy for MAC-Auth Request". Next you see the mac is "authenticated". You should then see an authorization response and something like "Override values for station". This is where the interface you have applied to the client in the local database would be applied. You will even see the interface name as an override value. Since you don't have AAA override enabled you will now see "Unable to apply override policy for station <client mac> - VapAllowRadiusOverride is FALSE".
All of this is because the WLC is acting as the AAA server and it is telling itself to change the VLAN based on the mac database entry. Since you do not have AAA override enable the WLC is not accepting this change to the interface. Since we are not accepting the change to the interface we stay at the last applied interface which is the interface on the AP group. So, if you want to override this interface applied to the client with the one you have on the local mac database, you have to enable AAA override.
Sorry for the long-winded response but it seemed to me that you wanted a deeper dive into why this config was needed.
02-25-2020 05:46 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide