Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
545
Views
4
Helpful
6
Replies

Authentication part in Foreign ,Anchor

oldxebex
Level 1
Level 1

‎05-23-2025 04:03 AM

Hi ,

We had a foreign anchor setup for an ssid with .1x method . Our Anchor is in DMZ zone . Just wanted to know if authentication part will be taken care by Anchor or foreign .

 

0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎05-23-2025 06:23 AM - edited ‎05-23-2025 06:26 AM

That would happen on the anchor.  Open or PSK would happen on the foreign.  Just keep in mind during your design if that is really something you want to anchor or not.  Might just cause more issues in the long run to troubleshoot.

-Scott
*** Please rate helpful posts ***
0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee

‎05-23-2025 06:38 AM

Dotx is a layer 2 security. So if you have Anchor Foreign setup and layer 2 SSID, foreign controller will take care of the authentication part.

Scott Fella
Hall of Fame
Hall of Fame
In response to Saikat Nandy

‎05-23-2025 06:45 AM

@Saikat Nandy you are right.... it does happen on the foreign controller.  

-Scott
*** Please rate helpful posts ***
0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee
In response to Scott Fella

‎05-23-2025 07:36 AM

Rule of thumb - 

1. Anchor-Foreign setup and layer 2 SSID - Foreign will take care of the Auth part.
2. Anchor-Foreign setup and layer 3 SSID - Anchor will take care of the Auth part.
3. Anchor-Foreign setup and be it layer2/3 SSID, IP address assignment will always be done from Anchor side.

oldxebex
Level 1
Level 1
In response to Saikat Nandy

‎05-24-2025 10:56 PM

There is one guest ssid too which has the psk + CWA setup as you said layer 3 will happen through anchor. Since redirection URL was pushed by ISE and on that I was able to see NAS device was foreign . So my guess was Ip addressing happens through anchor but authentication part happens on foreign then it leaves rest of things to anchor

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to oldxebex

‎05-25-2025 09:58 AM

@oldxebex These things are best to "try it" and really see for yourself.  You already have a foreign and anchor setup, you can just crate a new TEST SSID on both and start with an open SSID and see how things work, then move to a PSK with different PSK entries on the foreign and anchor to see which on works.  That can help understand where the auth is happening.  You can also do this with 802.1x and looking at the ISE logs as the NAD would show in the logs, this even works if you are using iPSK with ISE.

Also test when the mobility breaks between the two so you know what happens.  Testing always helps, because this allows you to also understand how identical the WLAN configuration needs to be between the foreign and anchor before it breaks.

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card