cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
959
Views
5
Helpful
7
Replies

802.1x setup using foreign anchor wlc

jain.manish94
Spotlight
Spotlight

hello team,

Today i was trying to setup one SSID with 802.1x involvement of foreign and anchor wlc same like guest CWA.

I don't know this is possible or not but after testing user is getting authentic successfully by ISE policy but not getting ip address. It is in DHCP_Req stage.

As per my understanding it should be working but don't know why it is not working.

Plz suggest me this is correct setup or where i doing wrong.

7 Replies 7

Prince.O
Spotlight
Spotlight

Hello,

 

If you are getting past layer 2 and the client is in DHCP required state, I would recommend the following 

- Ensure the configuration on the anchor WLC has the correct interface/vlan configured and properly mapped to that SSID as this will be the WLC handling layer 3 for the clients. The foreign can have any bogus vlan

- Check on switch side to make sure the necessary vlans are allowed on the controller trunk link and any DHCP relay is specified as needed

You mean to say this is correct setup and we can implement in our network?

Same vlan i am using for guest ssid as well and it is working fine.

In theory, this can work but I've typically seen 802.1x SSIDs usually handled locally on one controller and guest would be guest anchor configuration network segmentation purposes. This all depends on your environment and the use case. If foreign/anchor is needed for your environment for 802.1x SSID, this is fine.

- You'll need to of course verify on the SSID configuration that the anchor has itself set as the anchor and the foreign has the anchor set to forward the traffic 

 

I would not recommend having guest and 802.1x SSID in the same vlan , however, it's best to separate the two

 

Yes not using same vlan but i am doing this test in my lab where guest LWA is working fine with same vlan but not 802.1x

Then i would recommend checking on the radius server to validate they are not pushing a vlan override for a different vlan

 Where does your DHCP server reside?  Keep in mind that the Anchor WLC will drop the DHCP request and for 802.1x first client autentication then it gets an ip address.

Make sure the wlc can get to the DHCP server properly.  As this wlc reside in a DMZ, at least should, you may need to play with firewall somewhere.

 

 

yes authentication is successful because user is in DHCP_req stage 

And this is my lab and here guest lwa is working fine with same vlan but not 802.1x so i think no need to check firewall right ?

Review Cisco Networking for a $25 gift card