cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

1680
Views
5
Helpful
9
Replies
Highlighted
Beginner

Guest Wireless LAN - 802.1x local database

We currently have a Guest Wireless LAN using Web Authentication located on a WLC within our DMZ, is it possible to create an additional Guest Wireless LAN with 802.1x authentication using the local users DB on the WLC within the DMZ?  We have 3 additional WLC's located within the corporate infrastructure.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Guest Wireless LAN - 802.1x local database

Yes WPA encryption/decryption happens only on internal WLC side, once the client connecting AP decrypts the packet, it sent to anchor  via internal wlc unencrypted. All L2 functions happens at internal while L3 functions are handled by anchor irrespective of static/dynamic anchor.

View solution in original post

9 REPLIES 9
Hall of Fame Master

Re: Guest Wireless LAN - 802.1x local database

Yes you can. If the SSID's are going to be the same, then you need to have the profile name different. If your doing 802.1x with website then no. You can't have a layer 2 encryption defined and also have a layer 3 (WebAuth). You can have multiple WebAuth with different pages too.

Makes sense

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Beginner

Guest Wireless LAN - 802.1x local database

If I configure an additional SSID and use layer 2 authentication (WPA/WPA2) it appears that the authentication is done on the WLC within the network and not the WLC within the DMZ, I can authenticate using my domain account but not the local account on the DMZ WLC.  What am I doing wrong?

Cisco Employee

Guest Wireless LAN - 802.1x local database

Beginner

Guest Wireless LAN - 802.1x local database

I just want to perform WPA/WPA2 authentication/encryption on another Guest Wireless LAN though withour Web Authentication, its this that does not seem possible?

Cisco Employee

Guest Wireless LAN - 802.1x local database

yes it is possible. L2 encryption is configured on internal/foreign wlc. on anchor map this wlan to guest interface.

Beginner

Guest Wireless LAN - 802.1x local database

I have configured WPA on both the internal WLC and the WLC in the DMZ, the authentication only only seems to occur on the internal WLC and not the WLC in the DMZ. This is the issue I am having. 

Cisco Employee

Guest Wireless LAN - 802.1x local database

Yes WPA encryption/decryption happens only on internal WLC side, once the client connecting AP decrypts the packet, it sent to anchor  via internal wlc unencrypted. All L2 functions happens at internal while L3 functions are handled by anchor irrespective of static/dynamic anchor.

View solution in original post

Hall of Fame Master

Guest Wireless LAN - 802.1x local database

Simon,

Just to note what Saravanan mentioned, the reason the authentication (layer 2) happens on the internal WLC, is that the AP's the clients or device is associating to is connected to the internal WLC not the Guest WLC.  So your layer 2 happens in your internal or foreign WLC and like Saravanan mentioned, is then tunneled or anchored to the Guest WLC for layer 3 webauth. It is not possible to have the Guest WLC perform the layer 2 if that is what your trying to accomplish.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Beginner

Guest Wireless LAN - 802.1x local database

Thanks guys.  Now all is clear.

CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards