cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2388
Views
5
Helpful
9
Replies

Guest Wireless LAN - 802.1x local database

simon.bentley
Level 1
Level 1

We currently have a Guest Wireless LAN using Web Authentication located on a WLC within our DMZ, is it possible to create an additional Guest Wireless LAN with 802.1x authentication using the local users DB on the WLC within the DMZ?  We have 3 additional WLC's located within the corporate infrastructure.

1 Accepted Solution

Accepted Solutions

Yes WPA encryption/decryption happens only on internal WLC side, once the client connecting AP decrypts the packet, it sent to anchor  via internal wlc unencrypted. All L2 functions happens at internal while L3 functions are handled by anchor irrespective of static/dynamic anchor.

View solution in original post

9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame

Yes you can. If the SSID's are going to be the same, then you need to have the profile name different. If your doing 802.1x with website then no. You can't have a layer 2 encryption defined and also have a layer 3 (WebAuth). You can have multiple WebAuth with different pages too.

Makes sense

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

If I configure an additional SSID and use layer 2 authentication (WPA/WPA2) it appears that the authentication is done on the WLC within the network and not the WLC within the DMZ, I can authenticate using my domain account but not the local account on the DMZ WLC.  What am I doing wrong?

Saravanan Lakshmanan
Cisco Employee
Cisco Employee

I just want to perform WPA/WPA2 authentication/encryption on another Guest Wireless LAN though withour Web Authentication, its this that does not seem possible?

yes it is possible. L2 encryption is configured on internal/foreign wlc. on anchor map this wlan to guest interface.

I have configured WPA on both the internal WLC and the WLC in the DMZ, the authentication only only seems to occur on the internal WLC and not the WLC in the DMZ. This is the issue I am having. 

Yes WPA encryption/decryption happens only on internal WLC side, once the client connecting AP decrypts the packet, it sent to anchor  via internal wlc unencrypted. All L2 functions happens at internal while L3 functions are handled by anchor irrespective of static/dynamic anchor.

Scott Fella
Hall of Fame
Hall of Fame

Simon,

Just to note what Saravanan mentioned, the reason the authentication (layer 2) happens on the internal WLC, is that the AP's the clients or device is associating to is connected to the internal WLC not the Guest WLC.  So your layer 2 happens in your internal or foreign WLC and like Saravanan mentioned, is then tunneled or anchored to the Guest WLC for layer 3 webauth. It is not possible to have the Guest WLC perform the layer 2 if that is what your trying to accomplish.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Thanks guys.  Now all is clear.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: