Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1028
Views
15
Helpful
5
Replies

IOS-XE with guest anchor on WLC (AOS based) - web auth parameters

PWJPW
Level 1
Level 1

‎06-08-2020 01:53 AM - edited ‎07-05-2021 12:08 PM

Hi Team

 

We have a customer using a Catalyst IOS-XE based switch/controller with a mobility tunnel set up to a traditional WLC (AOS-based) guest anchor for web authentication.

 

Recently, an update to traditional AOS WLC <> AOS WLC (8.5 I believe) introduced new capability for the web authentication redirect whereby the AP MAC address was now visible by the guest anchor and thus passed in the redirect to the external webauth page, i.e. https://my-external-portal.com/splash?switch_url=xxx&ap_mac=11:22:33:44:55:66 whereas prior to this release it wan't able to determine the AP MAC from the foreign controller.

 

I wanted to ask if there is a way to get this to work when the foreign in based on IOS-XE so that we can determine the AP MAC when it reaches our external webauth page. Or, is there any other way we can know the AP in any of the RADIUS packets that go to our external RADIUS server from the guest anchor, in order to determine the AP or location.

 

Thanks,

 

James

Labels:
0 Helpful
5 Replies 5

JPavonM
VIP
VIP

‎06-08-2020 02:43 AM

Adding "aaa_policy" under "wireless profile policy" shoould do the trick:

wireless aaa policy CWA-AAA-Policy
 nas-id option1 ap-name
 nas-id option2 ap-mac

HTH
-Jesus
*** Please Rate Helpful Responses ***

PWJPW
Level 1
Level 1
In response to JPavonM

‎06-08-2020 03:16 AM

Hi Jesus,

It is the WLC that performs the RADIUS communication from the guest anchor though? So does this mean that this will pass over the tunnel from the IOS-XE controller to the WLC controller, which can then use it for RADIUS to the external server?

Thanks,

James

0 Helpful

JPavonM
VIP
VIP
In response to PWJPW

‎06-11-2020 06:40 AM

When using Anchors wlan profile and policy profile must match that on the foreign so you need to add it in both.

Take into consideration taht authentication and authorization is performend between foreign controller and RADIUS server. But accounting is done between foreign and RADIUS after autorization, and anchor and RADIUS onde in Run state.

HTH
-Jesus
*** Please Rate Helpful Responses ***

PWJPW
Level 1
Level 1
In response to JPavonM

‎06-11-2020 07:06 AM

Hi Jesus.

That doesn't seem to be the case, we're seeing both authentication and accounting packets always come from the guest anchor controller, not the foreign... Remember also that we are using a WLC (AireOS) for the anchor, and Catalyst (IOS-XE) for the foreign.

Thanks
0 Helpful

PWJPW
Level 1
Level 1
In response to JPavonM

‎06-11-2020 05:07 AM

Hi Jesus

Any thoughts on this one?

Thanks

James

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card