Solved: 3850 MC with multiple 3650 MAs doing webauth with Local db

R M C · ‎03-23-2016

Hi All

I've recently dipped my toes into the world of converged wireless. The customer was upgrading infrastructure at multiple sites, installing a 3850 core stack,which was to also act as an MC, with 3650 edge stacks which were to act as MAs. Unfortunately the 3850s were SFP only so the APs could not be directly attached to them, no power injectors etc.

There's three SSIDs at each site, one dot1x, one PSK and one webauth using local webauth. All but one site has just the one edge stack and hence only one MA so local web auth is straight forward. I'm a little unsure what happens with multiple MAs and local webauth? Do I need to duplicate the guest user account on each of the MAs? Or is there a way to move webauth to the 3850 MC or one of the MAs? I've not been able to find any info on this. Or should the local webauth be on the MC? When I tested, albeit with the single MA, auth was only successful when the user account was configured on the MA. The multiple MA issue only occurred to me after the kit had been shipped to site.

Also, regarding the dot1x, is the MC or MA the RADIUS client?

Many thanks in advance

Mark

Freerk Terpstra · ‎03-27-2016

On every switch with access-points directly connected (MA or MC) you need to make the same WLAN configurations. Also the RADIUS traffic will originate from those switches directly.

Regarding the local webauth, you can go two ways: refer to a central RADIUS server and define all the usernames centrally or implement a anchor controller within the infrastructure. With the anchor controller also a central database is being used for the user credentials but also the traffic will be tunneled (to a DMZ for example). It is recommended to use the 5760 as anchor controller with converged access, sadly the 3650 and 3850 cannot be used for this (the 2504/5500/WiSM2 can do it as well, but only up to software version 8.0).

I would go with the central RADIUS deployment, but it depends on what you currently already have within the infrastructure. Having the local databases will work as well of course, but can be a administrative nightmare if you don't apply some central management / scripting.

Please rate useful posts... :-)

View solution in original post

Freerk Terpstra · ‎03-27-2016

On every switch with access-points directly connected (MA or MC) you need to make the same WLAN configurations. Also the RADIUS traffic will originate from those switches directly.

Regarding the local webauth, you can go two ways: refer to a central RADIUS server and define all the usernames centrally or implement a anchor controller within the infrastructure. With the anchor controller also a central database is being used for the user credentials but also the traffic will be tunneled (to a DMZ for example). It is recommended to use the 5760 as anchor controller with converged access, sadly the 3650 and 3850 cannot be used for this (the 2504/5500/WiSM2 can do it as well, but only up to software version 8.0).

I would go with the central RADIUS deployment, but it depends on what you currently already have within the infrastructure. Having the local databases will work as well of course, but can be a administrative nightmare if you don't apply some central management / scripting.

Please rate useful posts... :-)

R M C · ‎03-30-2016

Hi Freerk

Many thanks for your reply, much appreciated. I am glad to learn that I didn't miss something obvious and that the local databases need to be present on all MAs. A complete administrative nightmare as you said, unfortunately the kit list and design was out of our control though I will certainly advise the customer of the alternatives.

Many thanks again for taking the time to reply.

Mark