Solved: Anchored SSID

Josu Bagazgoitia · ‎10-29-2016

Hello,

We have a couple of corporative Wireless LAN Controller (WLC 5508). They are used for corporative purposes. Now we have added an anchor controller (WLC 2504) located in the DMZ in order to offer guest access. We anchored two SSIDs. The first one is completely free access with only access to the internet. It is working fine. But we have a problem with the second SSID.

The second one requires authentication. This authentication should be done via Radius. We did not get it working and finally we realized why. The authentication process is done by the foreign controller. We confirmed this point making network captures. Foreign controllers do not know how to get to the Radius server. And, we want the anchor controller to be the one making the authentication. Its IP is the IP that is accepted on the Radius server.

In every documentation we have read it says that the authentication is always done by anchor controller by default. For example:

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107458-wga-faq.html#anc10

In an Anchor - Foreign WLC scenario, which WLC sends out the RADIUS accounting?

In this scenario, authentication is always done by the anchor WLC. Therefore, RADIUS accounting is sent by the anchor WLC.

http://wirelessccie.blogspot.com.es/2009/12/wlc-layer-2-and-layer-3-security.html

- RADIUS server: in the WLAN Security > AAA Servers tab, you Anchor controller can define specific RADIUS server(s) to use, which your Foreign controller does not care about. Authentication is done on the Anchor, not on the Foreign, so you can call RADIUS servers on the Anchor and not on the Foreign, no problem. This can also be one difference.

This is not happening this way on our scenario. We have:

layer 2 security set to "WPA+WPA2" and authentication key managment set to "802.1x".

Layer 3 securtiy set to "none".

We have read --> http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010010.html

"For Layer 3 RADIUS authentication, the RADIUS requests for authentication are sent by the anchor controller."
Do we need to set some type of layer 3 authentication?

On the AAA Servers tab we set the Radius.

We are running software version 8.0.132.0.

So we would like to know if any further configuration is needed to get the anchor being the source of the authentication process.

Thank you very much in advance!

Scott Fella · ‎10-31-2016

Josu,

This is where your requirements needs to be defined? Encryption from client to AP is done only when using layer 2 encryption. So that being said, radius is also done on the foreign controller for layer 2. So you have to decide what is the best approach for you. When I hear about clear text when doing anchor, I ask if encryption is necessary. Typically you anchor an SSID to a DMZ controller for internet access only so do you really care?

-Scott

*** Please rare helpful posts ***

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎10-29-2016

Josu,

Foreign controllers always do the encryption/decryption and authentication has to happen prior to getting getting anchored. Layer 2 auth is done on the foreign and layer 3 is done on the anchor. So if you even do a psk SSID, auth happens on the foreign and not the anchor, only open ssids will send traffic straight to the anchor. The only way you can use a radius server on the anchor is if you use webauth with username and password and send authentication to the radius.

-Scott

*** Please rate helpful posts ***

-Scott
*** Please rate helpful posts ***

Josu Bagazgoitia · ‎10-31-2016

Thank you for your fast answer Scott.

We could use webauth with username and password and send authentication to the radius. But if we set layer 2 security to none, I assume that once the user is authenticated, the traffic between the client and the access point is not using any encryption and will be travelling clear, is not it? Is there any way to avoid this situation? Setting layer security only for encryption and not for authentication, for example?

Thank you very much for your help!

Josu

Scott Fella · ‎10-31-2016

Josu,

If you set layer 2 to open then there is no encryption so you have two choices for webauth.. you can use http or https, your option would be to use https.

-Scott

*** Please rate helpful post ***

-Scott
*** Please rate helpful posts ***

Josu Bagazgoitia · ‎10-31-2016

Thank you very much Scott.

If we use https, we will be safe while the authentication process is done. But, once the authentication is finished, since there is no encryption, will al traffic be travelling clear?

Josu

Scott Fella · ‎10-31-2016

Josu,

This is where your requirements needs to be defined? Encryption from client to AP is done only when using layer 2 encryption. So that being said, radius is also done on the foreign controller for layer 2. So you have to decide what is the best approach for you. When I hear about clear text when doing anchor, I ask if encryption is necessary. Typically you anchor an SSID to a DMZ controller for internet access only so do you really care?

-Scott

*** Please rare helpful posts ***

-Scott
*** Please rate helpful posts ***

Josu Bagazgoitia · ‎10-31-2016

Hi Scott,

Everything understood. Thank you very much for your help.

Now we have to decide if we want to care about encryption or not.

Thanks again!!

Josu

Scott Fella · ‎10-31-2016

That is the biggest thing. I use to ask my customers about if the wired side is secure or not before they start trying how to secure the wireless.

If you look at education or organizations that are possibly doing internet only, most of the important data is encrypted by the application or at times VPN is used if corporate connection is required. I have worked on some K12 schools in which they leverage the cloud for everything and there is a small percentage of internal traffic being used by staff.

-Scott

*** Please rare helpful posts ***

-Scott
*** Please rate helpful posts ***