AAA with Anchor WLC

Dave Row · ‎10-24-2012

Hi Folks,

We have a pair of WiSM modules in our Core switches and a pair of 5508's in our DMZ. We can successfully tunnel clients to the Anchor controllers in the DMZ when there's no AAA specified, however, when I add AAA servers for Authentication and Accounting the mobility handshake does not complete.

Now, I can see the association of the client in the console 'debug client <mac>' output but I'm unsure which of the controllers is attempting to send the AAA request to the specified RADIUS servers.

Is the AAA request sent by the Foreign controller (in our cores) or is the request tunnelled to the Anchor controller (in the DMZ)? If the AAA request is forwarded out of the Anchor controller's Management interface why then isn't the mobility handshake completing?

Do I need to specify the AAA servers on the Foreign controller too, or just the Anchor?.. I'm lokoing to associate the clients with a specific interface on the Anchor but accept that the AAA request will originate from the management interface.

Could it be that because I have the AAA servers specified on the Foreign, this WLC is attempting to authenticate before beginning Mobility handshake?

Any help/advise greatly appreaciated.

Stephen Rodriguez · ‎10-24-2012

First, are you doing an EAP type, or just using the AAA server to validate the name a user places into a splash page?

For the anchoring to work, the WLAN configs need to match exactly, so if you added AAA servers to the Anchor, you need to add them to the foregin as well.

As for whom will send the AAA request, it depends on what you are doing. If you are doing EAP, then that will come from the Foreign, as L2 security has to be completed prior to anchoring. If it's just the webauth, then it will come from the Anchor.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Dave Row · ‎10-25-2012

Thanks for the quick response Stephen. I read the following info on the Wireless Guest Access FAQ that seems to contradict what you're saying..

Q. In an Anchor - Foreign WLC scenario, which WLC sends out the RADIUS accounting?

A. In this scenario, authentication is always done by the anchor WLC. Therefore, RADIUS accounting is sent by the anchor WLC.

We're running a WPA+WPA2 - AES with 802.1x Auth Key Mgmt. In this config, does the Foreign still send the Auth requests?..

Stephen Rodriguez · ‎10-25-2012

That is the accounting message not the auth traffic. Layer2 authentication needs to happen prior to the anchoring happening. So the internal should be the one sending the authentication to AAA.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

grabonlee · ‎10-25-2012

Hi David,

Why would you want to use EAP if the sole purpose is to provide Guest services? I don't you would expect all guests to turn up at your premises with EAP configured devices. If the clients are solely corporate devices, then Stephen is correct that EAP requests would be forwarded to the AAA server by the Foreign controller and not the Anchor.

Also not that as your Anchor is on the DMZ, you would have to allow radius protocols between the DMZ controllers and the AAA server through the FW, and that is if you have Web authentication enabled.