Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3759
Views
0
Helpful
5
Replies

Remote anchor and 802.1x

Go to solution
ibrunello
Level 1
Level 1

‎08-05-2011 03:01 AM - edited ‎07-03-2021 08:31 PM

Hi all,

I've been involved into a new project between us and another department.

We've been asked to make the other department SSIDs available in our wireless infrastructure.

Both Depts run Cisco unified wireless, each one has separate Mobility group and manages its own controllers and authentication domain.

We though at first to use the mobility anchor approach.

But:

- each Dept use 802.1x authentication for it's own SSIDs.

- as far as I saw, I cannot delegate 802.1x authentication to anchor controller. Local L2 access should be granted before tunneling.

Can somebody confirm/correct my assumption?

If the above assumption are correct, I only see two alternatives:

- change authentication to L3 (e.g. Web auth)

- create WLANs on my WLCs, enable 802.1x, and point to the other department's RADIUS servers

Are there other alternative?

Thank you

Ivan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pcroak
Cisco Employee
Cisco Employee

‎08-05-2011 04:47 PM

Hi Ivan,

Your assumption is correct. L2 authentication occurs at the local WLC, and L3 authentication will occur at the Anchor WLC.

If you want to use 802.1x and anchor the clients, the local WLCs will need to be able to communicate with the other department's RADIUS server(s). You can add their servers to the WLC configuration and specify the proper one on the WLAN configuration using AAA override.

You could also consider using web-authentication like you mentioned. In that case the anchor controller could validate the credentials against the already configured RADIUS servers for that department.

Thanks,

Patrick Croak

Wireless TAC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
pcroak
Cisco Employee
Cisco Employee

‎08-05-2011 04:47 PM

Hi Ivan,

Your assumption is correct. L2 authentication occurs at the local WLC, and L3 authentication will occur at the Anchor WLC.

If you want to use 802.1x and anchor the clients, the local WLCs will need to be able to communicate with the other department's RADIUS server(s). You can add their servers to the WLC configuration and specify the proper one on the WLAN configuration using AAA override.

You could also consider using web-authentication like you mentioned. In that case the anchor controller could validate the credentials against the already configured RADIUS servers for that department.

Thanks,

Patrick Croak

Wireless TAC

0 Helpful

Go to solution
ibrunello
Level 1
Level 1
In response to pcroak

‎08-08-2011 02:46 AM

We would do as follows:

- Our WLCs will connect to foreign RADIUS to allow L2 auth.

- The shared SSID will then be anchored to remote WLCs to allow L3 handling by other Dept.

Should it work?

TIA

Ivan

0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to ibrunello

‎08-08-2011 07:40 AM

Hi Ivan,

Assuming that you have mobility groups properly defined and the anchor configuration is correct, yes, this scenario should work for you.

The clients with be authenticated to the respective RADIUS server, and then after receiving an access-accept, we would tunnel the traffic to the anchor WLC.

From there, the client would get an IP address from the anchored WLC, which should be the other department as desired.

-Patrick

0 Helpful

Go to solution
ibrunello
Level 1
Level 1
In response to ibrunello

‎08-08-2011 07:45 AM

Thank you Patrick,

Now it's a bit clearer.

kind regards

Ivan

0 Helpful

Go to solution
stefan.angerer
Level 1
Level 1

‎08-06-2011 04:21 AM

You could also think of sending all request to your "local" RADIUS server and using RADIUS proxy if needed.

E.g. user domain1\user will be authenticated locally on RADIUS server 1, while requests of domain2\user will be forwarded from server 1 to server 2 (and vice versa).

Of course it really depends on your infrastructure if that would make sense for you.

Regards

Stefan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card