Re: Mobility Query

jamesjazz · ‎08-16-2022

I'm looking to publish an SSID from another organisation across our APs. Normally I would do this with a mobility tunnel between both WLCs but it has been suggested that it would be more secure to have an additional WLC acting as an anchor in our DMZ between our WLC and the other organisation's WLC.

Would this work? Would they just use the same mobility group?

Thanks in advance.

balaji.bandi · ‎08-16-2022

yes that is the best approach if you doing externall, rather exposing your WLC to external. (if you have spare WLC controller.)

or you can do with NAT external to internally (if you do not have spare WLC)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Haydn Andrews · ‎08-16-2022

Done this many times with Hospital wireless to universities

One thing that you need to determine is there a need for users connected to the other organisations SSIDs to gain access to your network or if they just need to be tunnelled to the other organisation.

Have done two methods if the users just need to be tunnelled:

Mobility Anchors between other organisations WLC and either your local or DMZ WLC

Or drop off onto a VLAN within a VRF/ DMZ and a fibre connection to the other organisation.

If its just to authenticate the other users via the other organisations SSID/ security then you could always just point the auth method to the other organisation.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

jamesjazz · ‎08-18-2022

Thank you for the replies.

The DMZ WLC has been setup and I've connected it to the external organisation's WLC using their mobility group name and I've connected our live WLC to the DMZ WLC using the DMZ WLC's mobility group name. The external organisation's SSID is setup on both the live and DMZ WLCs. The live config points to the DMZ WLC anchor and the DMZ config points to the external organisation's WLC anchor. Does that all sound correct? They use 802.1x authentication so does the radius request come from our live WLC directly?

The user's connected to the other organisation's SSID don't need access to our local network.

Thanks in advance.

Scott Fella · ‎08-18-2022

Authentication always happens on the foreign controller (where the ap that the client connects to is joined) not the anchor controller. Once authentication has passed, then the connection to the tunnel is open for that device. The question I have is, if your ap's connected to you wlc is broadcasting the other organizations SSID, how are you tunneling that to the other organization.

-Scott
*** Please rate helpful posts ***

jamesjazz · ‎08-19-2022

Thanks for the reply and clarification of where the authentication will originate.

The plan is to tunnel the traffic via the WLC in our DMZ and then on to the external organisation's WLC - which I'm hoping is possible?

Thanks.

jamesjazz · ‎09-06-2022

So, I've been trying to get this working but not having much luck. The clients are connecting successfully on our main WLC and we can see the successful authentication requests at the external organisation end but the clients don't appear to be getting an IP address. Initially I was getting errors like "Export anchor required but config is incorrect" so I tried setting the policy on the WLC in the DMZ to be an export anchor and that would clear the error but the client still wouldn't get an IP address.

My thinking is that the DMZ WLC shouldn't be the export anchor and that is the role of the external organisation's WLC but how do I get the DMZ WLC to pass on the mobility traffic to the external organisation's WLC?

Thanks.