cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
515
Views
0
Helpful
1
Replies

AAA override and 802.1X for BYOD network

tsakoulias
Level 1
Level 1

Hi all,

 

I have a question regarding AAA override when using 802.1X and anchor WLCs.

 

We have a BYOD network where our Campus WLC are using a WLAN with 802.1X for AKM and no L3 security. Following successful authentication traffic is tunneled to the DMZ WLC where the client device obtains an IP address. No L2 or L3 security is configured on the anchor. The AAA servers are configured to send VLAN RADIUS return attributes and we can see they are sent on the Access-Accept responses.

 

When we have AAA override enabled on the DMZ WLC and disabled on the Campus WLC the client obtains an IP from the interface configured on the WLAN and does not use the RADIUS returned attributes. As noted above, we can see them on the Access-Accept messages from the RADIUS server.

After some testing, we enabled AAA override on the Campus DMZ too and we can finally receive the VLAN return attributes and override the default WLAN interface.

Out of curiosity we disabled AAA override in the DMZ and kept it enabled on the Campus side. The client device was not able to get tunneled to the DMZ because the mobility "handshake" failed between the two WLCs. Why did the handshake fail on this test and not on the first one where again there was a mismatch on the WLAN settings?

 

What is the correct setting when configuring 802.1X with AAA override. Does the feature have to be enabled on both sides?  

Can you please provide a link to any document that provides more details for the above (if available) as i was not able to find something similar.

Kind Regards,

Theo

 

 

 

 

Regards,

Theo

 

1 Accepted Solution

Accepted Solutions

Scott Fella
Hall of Fame
Hall of Fame

Theo,

It's best to setup the WLAN's the same for both the foreign and the anchor, except of course the interface name defined in thw WLAN which can differ.  Now you have to understand AAA override.  You can only change a users vlan only prior to the device getting an ip address.  So using a layer 2 encryption would work, but layer 3 like webauth, you wouldn't get that to work.

-Scott
*** Please rate helpful posts ***

View solution in original post

1 Reply 1

Scott Fella
Hall of Fame
Hall of Fame

Theo,

It's best to setup the WLAN's the same for both the foreign and the anchor, except of course the interface name defined in thw WLAN which can differ.  Now you have to understand AAA override.  You can only change a users vlan only prior to the device getting an ip address.  So using a layer 2 encryption would work, but layer 3 like webauth, you wouldn't get that to work.

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card