02-04-2014 07:06 AM - edited 07-05-2021 12:05 AM
I currently have 2500 series WLCs. Our wireless network is completely separate from our internal network, keeping the WLC from talking to any internal servers. The company would like to start using AD(LDAP authentication) for end users while still keeping the APs on a completely separate network. Since the 2500 series does not support a "service port", Is there any way to move the management port out-of-band with no access to APs and just use the other ports for AP management?
02-04-2014 07:27 AM
I haven't had my morning coffee ... But let me give this a shot..
I am going to say no. The managment interface is needed for APs to join. If you isloate this interface no APs can join. Even if AP managers are used, the AP requries to touch the managment interface when booting up.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"
02-04-2014 07:29 AM
George, I have the same opinion as you. I'm hoping I'm wrong.
thanks!!
Brian
02-04-2014 10:44 AM
George is right (even without his morning coffee )
You cannot isloate managment IP from the AP. In this WLC model you have to live with in-band management.
HTH
Rasika
**** Pls rate all useful responses ****
02-04-2014 10:51 AM
Agree with Rasika and George.
The APs will need connectivity to the management interface. The management interface is the default interface for in-band management of the controller.
Reagrds
Dont forget to rate helpful posts
02-04-2014 12:26 PM
Wow... you are like the third person I heard wanted to do this... the other two were my customers:) The only way we archived this was to move the WLC and AP's in the DMZ and open the FW to allow radius traffic to and from the WLC and radius server. They had layer 2 vlans created on each closet that they didn't route that terminated to the DMZ. My other client had two separate infrastructure... don't ask why.... I would never design it this way if it was my choice.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide