03-14-2014 08:23 AM - edited 07-05-2021 12:26 AM
Hi all,
I have a question regarding AAA override when using 802.1X and anchor WLCs.
We have a BYOD network where our Campus WLC are using a WLAN with 802.1X for AKM and no L3 security. Following successful authentication traffic is tunneled to the DMZ WLC where the client device obtains an IP address. No L2 or L3 security is configured on the anchor. The AAA servers are configured to send VLAN RADIUS return attributes and we can see they are sent on the Access-Accept responses.
When we have AAA override enabled on the DMZ WLC and disabled on the Campus WLC the client obtains an IP from the interface configured on the WLAN and does not use the RADIUS returned attributes. As noted above, we can see them on the Access-Accept messages from the RADIUS server.
After some testing, we enabled AAA override on the Campus DMZ too and we can finally receive the VLAN return attributes and override the default WLAN interface.
Out of curiosity we disabled AAA override in the DMZ and kept it enabled on the Campus side. The client device was not able to get tunneled to the DMZ because the mobility "handshake" failed between the two WLCs. Why did the handshake fail on this test and not on the first one where again there was a mismatch on the WLAN settings?
What is the correct setting when configuring 802.1X with AAA override. Does the feature have to be enabled on both sides?
Can you please provide a link to any document that provides more details for the above (if available) as i was not able to find something similar.
Kind Regards,
Theo
Regards,
Theo
Solved! Go to Solution.
03-14-2014 11:14 AM
Theo,
It's best to setup the WLAN's the same for both the foreign and the anchor, except of course the interface name defined in thw WLAN which can differ. Now you have to understand AAA override. You can only change a users vlan only prior to the device getting an ip address. So using a layer 2 encryption would work, but layer 3 like webauth, you wouldn't get that to work.
03-14-2014 11:14 AM
Theo,
It's best to setup the WLAN's the same for both the foreign and the anchor, except of course the interface name defined in thw WLAN which can differ. Now you have to understand AAA override. You can only change a users vlan only prior to the device getting an ip address. So using a layer 2 encryption would work, but layer 3 like webauth, you wouldn't get that to work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide