cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2080
Views
0
Helpful
2
Replies

Authentication in Foreign/Anchor Configuration

mmelbourne
Level 5
Level 5

We have a controller which is using dynamic VLAN assignment from a local controller for a single SSID. We now want to extend this SSID to a foreign controller and have traffic tunnelled back to the local (anchor) controller. Is it the case that the dot1x authentication (in our case via EAP-TLS) is performed on the foreign controller, and this implies the foreign controller needs to be a AAA client of the local RADIUS server (and that this L2 Authentication is not tunnelled back in EoIP to the anchor controller)? Also, if this is the case, and the traffic gets tunnelled back to the anchor controller, will it also perform a 'secondary' RADIUS lookup to determine the dynamic VLAN to assign to the user's session on the anchor controller, as the anchor controller still needs to use the correct VLAN assignment based on local RADIUS attributes?

Thanks in advance,

Matt

2 Replies 2

mmelbourne
Level 5
Level 5

Is it possible that thus functionality will work with the "VLAN Select", i.e. the user is L2 authenticated on the Foreign controller (with AAA override enabled), and the VLAN information is passed as additional payload in EoIP to the Anchor controller where the correct VLAN is selected from an Interface Group on the Anchor?

I have seen examples whereby a VLAN identifier can be "signalled" over an EoIP tunnel for a client (based on a hash), or based on a Foreign controller MAC, but I am trying to discover whether per-user VLAN assignment on the Anchor is possible when the user is authenticated on the Foreign controller.

i think you mean an another foreign as local controller.

traffic tunnelled back to the local (anchor) controller

//It occurs only on L3 roaming on client from local to foreign or foreign wlc statically anchored to local controller.

Is it the case that the dot1x authentication (in our case via EAP-TLS) is performed on the foreign controller, and this implies the foreign controller needs to be a AAA client of the local RADIUS server (and that this L2 Authentication is not tunnelled back in EoIP to the anchor controller)?

//Yes, if  WLAN from foreign is statically anchored to local wlc or any client association from foreign.

Also, if this is the case, and the traffic gets tunnelled back to the anchor controller, will it also perform a 'secondary' RADIUS lookup to determine the dynamic VLAN to assign to the user's session on the anchor controller, as the anchor controller still needs to use the correct VLAN assignment based on local RADIUS attributes?

//Yes.

Is it possible that thus functionality will work with the "VLAN Select", i.e. the user is L2 authenticated on the Foreign controller (with AAA override enabled), and the VLAN information is passed as additional payload in EoIP to the Anchor controller where the correct VLAN is selected from an Interface Group on the Anchor?

//Yes. as long as Vlans on Interface group matches on the WLCs.

I have seen examples whereby a VLAN identifier can be "signalled" over an EoIP tunnel for a client (based on a hash), or based on a Foreign controller MAC, but I am trying to discover whether per-user VLAN assignment on the Anchor is possible when the user is authenticated on the Foreign controller.

//Yes.

Ref

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78900.shtml?referring_site=smartnavRD

Review Cisco Networking for a $25 gift card