03-31-2022 10:17 AM
hello team,
Today i was trying to setup one SSID with 802.1x involvement of foreign and anchor wlc same like guest CWA.
I don't know this is possible or not but after testing user is getting authentic successfully by ISE policy but not getting ip address. It is in DHCP_Req stage.
As per my understanding it should be working but don't know why it is not working.
Plz suggest me this is correct setup or where i doing wrong.
03-31-2022 10:30 AM
Hello,
If you are getting past layer 2 and the client is in DHCP required state, I would recommend the following
- Ensure the configuration on the anchor WLC has the correct interface/vlan configured and properly mapped to that SSID as this will be the WLC handling layer 3 for the clients. The foreign can have any bogus vlan
- Check on switch side to make sure the necessary vlans are allowed on the controller trunk link and any DHCP relay is specified as needed
03-31-2022 11:17 AM
You mean to say this is correct setup and we can implement in our network?
Same vlan i am using for guest ssid as well and it is working fine.
03-31-2022 12:35 PM
In theory, this can work but I've typically seen 802.1x SSIDs usually handled locally on one controller and guest would be guest anchor configuration network segmentation purposes. This all depends on your environment and the use case. If foreign/anchor is needed for your environment for 802.1x SSID, this is fine.
- You'll need to of course verify on the SSID configuration that the anchor has itself set as the anchor and the foreign has the anchor set to forward the traffic
I would not recommend having guest and 802.1x SSID in the same vlan , however, it's best to separate the two
03-31-2022 09:31 PM
Yes not using same vlan but i am doing this test in my lab where guest LWA is working fine with same vlan but not 802.1x
04-01-2022 07:35 AM
Then i would recommend checking on the radius server to validate they are not pushing a vlan override for a different vlan
03-31-2022 12:00 PM
Where does your DHCP server reside? Keep in mind that the Anchor WLC will drop the DHCP request and for 802.1x first client autentication then it gets an ip address.
Make sure the wlc can get to the DHCP server properly. As this wlc reside in a DMZ, at least should, you may need to play with firewall somewhere.
03-31-2022 09:33 PM
yes authentication is successful because user is in DHCP_req stage
And this is my lab and here guest lwa is working fine with same vlan but not 802.1x so i think no need to check firewall right ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide