Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2246
Views
0
Helpful
1
Replies

Cisco 2504, internal wlan set to vlan 1 will not authenticate to Radius Server

slwdaw_2
Level 1
Level 1

‎12-22-2011 06:53 AM - edited ‎07-03-2021 09:17 PM

I am getting ready to deploy a Cisco 2504 WLC

I have three wlan interfaces setup on the WLC

management - vlan 50 on port 1

internal - vlan 1 uses radius to authenticate users on port 3

guest - vlan 20 - open with web-auth on port 2

The internal network uses a radius server to authenticate.

When the internal wlan interface is set to vlan 1, it does not communicate to the Radius server.   However if I set the internal wlan interface to vlan10 everything works.    I have checked the logs of the radius server, when it set to vlan1 it doesn't even attempt to communicate with it.

If I set the internal interface on vlan1 not to authenticate to the radius server then it will work.

on the switch

interface Fastethernet0/10

description Connected to the WLC on Port 3

switchport trunk encapsulation dot1q

swichport trunk allowed 1, 20, 50

switchport mode trunk

on the router

interface Fastethernet0/0.1

encapsulation dot1.q 1 native

ip address x.x.x.x x.x.x.x.x

interface Fastethernet0/0.2

description wlan wireless guest network

encapsuluation dot1.q 20

ip address x.x.x.x x.x.x.x

interface Fastethernet0/0.3

description management wlan wlc

encapsuluation dot1.q 50

ip address x.x.x.x x.x.x.x

Any idea why vlan1 will not work correctly?

Labels:
0 Helpful
1 Reply 1

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎12-22-2011 07:20 AM

If you have the vlan set to 1, for interface inside, it will send all the traffic tagged with vlan 1.  On the switch, you have not specified the switchport trunk native vlan, so by default the native is 1.  When a dot1q trunk receives traffic with it's own native vlan set, it will drop the packet.

So you can either change the interface inside to b vlan 0 (untagged), or even better set the switchport trunk native vlan on  f0/10 to be an invalid vlan.  that way if any traffic happens to hit it without a tag, it will get dropped into the bit bucket.

Further, you should not place any server the clients or WLC need to speak with in a subnet the WLC has a dynamic interface for.  The WLC should be sending all of it's requests via the management interface, but if the Server is in a dynamic interfaces range, it will send to the closer match.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card