cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4080
Views
0
Helpful
5
Replies

Remote anchor and 802.1x

ibrunello
Level 1
Level 1

Hi all,

I've been involved into a new project between us and another department.

We've been asked to make the other department SSIDs available in our wireless infrastructure.

Both Depts run Cisco unified wireless, each one has separate Mobility group and manages its own controllers and authentication domain.

We though at first to use the mobility anchor approach.

But:

- each Dept use 802.1x authentication for it's own SSIDs.

- as far as I saw, I cannot delegate 802.1x authentication to anchor controller. Local L2 access should be granted before tunneling.

Can somebody confirm/correct my assumption?

If the above assumption are correct, I only see two alternatives:

- change authentication to L3 (e.g. Web auth)

- create WLANs on my WLCs, enable 802.1x, and point to the other department's RADIUS servers

Are there other alternative?

Thank you

Ivan

1 Accepted Solution

Accepted Solutions

pcroak
Cisco Employee
Cisco Employee

Hi Ivan,

Your assumption is correct. L2 authentication occurs at the local WLC, and L3 authentication will occur at the Anchor WLC.

If you want to use 802.1x and anchor the clients, the local WLCs will need to be able to communicate with the other department's RADIUS server(s). You can add their servers to the WLC configuration and specify the proper one on the WLAN configuration using AAA override.

You could also consider using web-authentication like you mentioned. In that case the anchor controller could validate the credentials against the already configured RADIUS servers for that department.

Thanks,

Patrick Croak

Wireless TAC

View solution in original post

5 Replies 5

pcroak
Cisco Employee
Cisco Employee

Hi Ivan,

Your assumption is correct. L2 authentication occurs at the local WLC, and L3 authentication will occur at the Anchor WLC.

If you want to use 802.1x and anchor the clients, the local WLCs will need to be able to communicate with the other department's RADIUS server(s). You can add their servers to the WLC configuration and specify the proper one on the WLAN configuration using AAA override.

You could also consider using web-authentication like you mentioned. In that case the anchor controller could validate the credentials against the already configured RADIUS servers for that department.

Thanks,

Patrick Croak

Wireless TAC

We would do as follows:

- Our WLCs will connect to foreign RADIUS to allow L2 auth.

- The shared SSID will then be anchored to remote WLCs to allow L3 handling by other Dept.

Should it work?

TIA

Ivan

Hi Ivan,

Assuming that you have mobility groups properly defined and the anchor configuration is correct, yes, this scenario should work for you.

The clients with be authenticated to the respective RADIUS server, and then after receiving an access-accept, we would tunnel the traffic to the anchor WLC.

From there, the client would get an IP address from the anchored WLC, which should be the other department as desired.

-Patrick

Thank you Patrick,

Now it's a bit clearer.

kind regards

Ivan

stefan.angerer
Level 1
Level 1

You could also think of sending all request to your "local" RADIUS server and using RADIUS proxy if needed.

E.g. user domain1\user will be authenticated locally on RADIUS server 1, while requests of domain2\user will be forwarded from server 1 to server 2 (and vice versa).

Of course it really depends on your infrastructure if that would make sense for you.

Regards

Stefan

Review Cisco Networking for a $25 gift card