10-29-2016 02:29 AM - edited 07-05-2021 06:04 AM
Hello,
We have a couple of corporative Wireless LAN Controller (WLC 5508). They are used for corporative purposes. Now we have added an anchor controller (WLC 2504) located in the DMZ in order to offer guest access. We anchored two SSIDs. The first one is completely free access with only access to the internet. It is working fine. But we have a problem with the second SSID.
The second one requires authentication. This authentication should be done via Radius. We did not get it working and finally we realized why. The authentication process is done by the foreign controller. We confirmed this point making network captures. Foreign controllers do not know how to get to the Radius server. And, we want the anchor controller to be the one making the authentication. Its IP is the IP that is accepted on the Radius server.
In every documentation we have read it says that the authentication is always done by anchor controller by default. For example:
In this scenario, authentication is always done by the anchor WLC. Therefore, RADIUS accounting is sent by the anchor WLC.
- RADIUS server: in the WLAN Security > AAA Servers tab, you Anchor controller can define specific RADIUS server(s) to use, which your Foreign controller does not care about. Authentication is done on the Anchor, not on the Foreign, so you can call RADIUS servers on the Anchor and not on the Foreign, no problem. This can also be one difference.
This is not happening this way on our scenario. We have:
So we would like to know if any further configuration is needed to get the anchor being the source of the authentication process.
Thank you very much in advance!
Solved! Go to Solution.
10-31-2016 07:39 AM
Josu,
This is where your requirements needs to be defined? Encryption from client to AP is done only when using layer 2 encryption. So that being said, radius is also done on the foreign controller for layer 2. So you have to decide what is the best approach for you. When I hear about clear text when doing anchor, I ask if encryption is necessary. Typically you anchor an SSID to a DMZ controller for internet access only so do you really care?
-Scott
*** Please rare helpful posts ***
10-29-2016 03:59 AM
Josu,
Foreign controllers always do the encryption/decryption and authentication has to happen prior to getting getting anchored. Layer 2 auth is done on the foreign and layer 3 is done on the anchor. So if you even do a psk SSID, auth happens on the foreign and not the anchor, only open ssids will send traffic straight to the anchor. The only way you can use a radius server on the anchor is if you use webauth with username and password and send authentication to the radius.
-Scott
*** Please rate helpful posts ***
10-31-2016 01:43 AM
Thank you for your fast answer Scott.
We could use webauth with username and password and send authentication to the radius. But if we set layer 2 security to none, I assume that once the user is authenticated, the traffic between the client and the access point is not using any encryption and will be travelling clear, is not it? Is there any way to avoid this situation? Setting layer security only for encryption and not for authentication, for example?
Thank you very much for your help!
Josu
10-31-2016 06:38 AM
Josu,
If you set layer 2 to open then there is no encryption so you have two choices for webauth.. you can use http or https, your option would be to use https.
-Scott
*** Please rate helpful post ***
10-31-2016 07:10 AM
Thank you very much Scott.
If we use https, we will be safe while the authentication process is done. But, once the authentication is finished, since there is no encryption, will al traffic be travelling clear?
Josu
10-31-2016 07:39 AM
Josu,
This is where your requirements needs to be defined? Encryption from client to AP is done only when using layer 2 encryption. So that being said, radius is also done on the foreign controller for layer 2. So you have to decide what is the best approach for you. When I hear about clear text when doing anchor, I ask if encryption is necessary. Typically you anchor an SSID to a DMZ controller for internet access only so do you really care?
-Scott
*** Please rare helpful posts ***
10-31-2016 07:50 AM
Hi Scott,
Everything understood. Thank you very much for your help.
Now we have to decide if we want to care about encryption or not.
Thanks again!!
Josu
10-31-2016 08:06 AM
That is the biggest thing. I use to ask my customers about if the wired side is secure or not before they start trying how to secure the wireless.
If you look at education or organizations that are possibly doing internet only, most of the important data is encrypted by the application or at times VPN is used if corporate connection is required. I have worked on some K12 schools in which they leverage the cloud for everything and there is a small percentage of internal traffic being used by staff.
-Scott
*** Please rare helpful posts ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide