10-02-2012 03:40 AM - edited 07-03-2021 10:45 PM
We currently have a Guest Wireless LAN using Web Authentication located on a WLC within our DMZ, is it possible to create an additional Guest Wireless LAN with 802.1x authentication using the local users DB on the WLC within the DMZ? We have 3 additional WLC's located within the corporate infrastructure.
Solved! Go to Solution.
10-31-2012 08:01 AM
Yes WPA encryption/decryption happens only on internal WLC side, once the client connecting AP decrypts the packet, it sent to anchor via internal wlc unencrypted. All L2 functions happens at internal while L3 functions are handled by anchor irrespective of static/dynamic anchor.
10-02-2012 04:47 AM
Yes you can. If the SSID's are going to be the same, then you need to have the profile name different. If your doing 802.1x with website then no. You can't have a layer 2 encryption defined and also have a layer 3 (WebAuth). You can have multiple WebAuth with different pages too.
Makes sense
Sent from Cisco Technical Support iPhone App
10-30-2012 09:45 AM
If I configure an additional SSID and use layer 2 authentication (WPA/WPA2) it appears that the authentication is done on the WLC within the network and not the WLC within the DMZ, I can authenticate using my domain account but not the local account on the DMZ WLC. What am I doing wrong?
10-30-2012 11:32 AM
802.1x + webauth possible enabling conditonal webauth
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wp1129600
10-31-2012 02:14 AM
I just want to perform WPA/WPA2 authentication/encryption on another Guest Wireless LAN though withour Web Authentication, its this that does not seem possible?
10-31-2012 06:06 AM
yes it is possible. L2 encryption is configured on internal/foreign wlc. on anchor map this wlan to guest interface.
10-31-2012 07:19 AM
I have configured WPA on both the internal WLC and the WLC in the DMZ, the authentication only only seems to occur on the internal WLC and not the WLC in the DMZ. This is the issue I am having.
10-31-2012 08:01 AM
Yes WPA encryption/decryption happens only on internal WLC side, once the client connecting AP decrypts the packet, it sent to anchor via internal wlc unencrypted. All L2 functions happens at internal while L3 functions are handled by anchor irrespective of static/dynamic anchor.
10-31-2012 08:08 AM
Simon,
Just to note what Saravanan mentioned, the reason the authentication (layer 2) happens on the internal WLC, is that the AP's the clients or device is associating to is connected to the internal WLC not the Guest WLC. So your layer 2 happens in your internal or foreign WLC and like Saravanan mentioned, is then tunneled or anchored to the Guest WLC for layer 3 webauth. It is not possible to have the Guest WLC perform the layer 2 if that is what your trying to accomplish.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
10-31-2012 08:15 AM
Thanks guys. Now all is clear.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide