Solved: Same 802.1x SSID On Different WLC...

John.lc · ‎11-27-2023

HI Experts.

We want to deploy two separate wireless networks in two branches. The APs of Site1 and Site2 will broadcast the SSID with the same name, and their authentication methods are also the same (they both use 802.1X as the authentication method and use the same ISE authentication server and AD). In this case, can the client at Site1 directly associate the SSID named employee broadcast by the AP at Site2 when it goes to Site2? And why?
If not, can the above requirements be achieved if I configure a mobility group between two WLCs? (On the Site1 client, when arriving at Site2, it is directly associated with the SSID named employee broadcast by the Site2 AP, without reconfiguring the connection)
Explanation: I know this is a bad design method, I just need to know its principles first. and it's only a temporary approach.

Rasika Nayanajith · ‎11-28-2023

In 802.1X, communication takes place between Supplicant and RADIUS server. So if AP registered to a different WLC does not makes any difference to supplicant 802.1X configuration. It still be able to connect to a AP without any manual configuration on supplicant side.

HTH
Rasika
*** Pls rate all useful responses ***

View solution in original post

Haydn Andrews · ‎11-28-2023

If you are using the same SSID, when the client moves between the sites they will automatically connect, the issue is if the authentication policies are different between the sites then it may not work.

I have the same setup accross 50 sites, same SSID/ Auth method used and the client will just reconnect.

If you are talking about seamless roaming cause both sites are within coverage of each other then you will need to configure mobility between the WLCs

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

John.lc · ‎11-28-2023

If the client is going from Site1 to Site2 for the first time, does it need to reconfigure the 802.1X authentication configuration of the terminal?

MHM Cisco World · ‎11-28-2023

I will check you need 80.1x ft to make ap exchange key of client in such that when client change ap then it not need any re-auth.

It l2 roaming.

MHM

Rasika Nayanajith · ‎11-28-2023

Once your client device able to connect at one site (ie end device is trust the RADIUS server certs on first use, if you using credentials to connect to Wi-Fi), then that device does not need any other configurations when it goes to 2nd site & associate to Wi-Fi.

HTH
Rasika
*** Pls rate all useful responses ***

John.lc · ‎11-28-2023

I have one more question.
If the original AP of Site1 is moved to the WLC of Site2, will the clients originally associated with Site1 be required to reconfigure client 802.1X authentication? (The client here is mainly for Windows laptop)

Rasika Nayanajith · ‎11-28-2023

In 802.1X, communication takes place between Supplicant and RADIUS server. So if AP registered to a different WLC does not makes any difference to supplicant 802.1X configuration. It still be able to connect to a AP without any manual configuration on supplicant side.

HTH
Rasika
*** Pls rate all useful responses ***

John.lc · ‎11-28-2023

Got it, many thanks.