Solved: Re: Tunneling SSID on Cisco WLC to remote Radius Server

kamz1 · ‎09-09-2024

Good day Cisco community.

I want to extend a partner's corporate Wifi to our premises by creating an SSID on our Cisco WLC and tunnelling the traffic over Internet to partner's remote radius server. Our partner is using Ruckus network gear. how best can this be achieved ? is GRE tunneling possible and IPsec on top?...Any configurations to be made on our Cisco Firewal aswell ? Any configuration guidance will be appreciated.

MHM Cisco World · ‎09-09-2024

GRE is use only to overrride some routing issue

IPSec in otherhand is perfect to connect NAD to radius because it secure not such GRE.

You want to run tunnel between WLC to AAA

MHM

View solution in original post

marce1000 · ‎09-09-2024

>...is it possible defining an Ipsec Vpn directly from the WLC towards the radius server - or this can be best done by having the VPN on firewall level?
- As you are already saying : you can't setup an ipsec vpn directly on the WLC. It must be done at perimeter equipment such as the firewall or a router (indeed). Afterwards you must test if the intended radius server becomes reachable from the WLC ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

MHM Cisco World · ‎09-09-2024

GRE is use only to overrride some routing issue

IPSec in otherhand is perfect to connect NAD to radius because it secure not such GRE.

You want to run tunnel between WLC to AAA

MHM

kamz1 · ‎09-09-2024

Thank you. My follow up question is whether to define the Ipsec VPN connection at my firewall level or this is best done on the WLC level?

MHM Cisco World · ‎09-09-2024

FW sure' I don't think wlc can run ipsec directly to server.

In FW you need to use policy based VPN and specify host mgmt IP in acl of IPsec.

MHM

marce1000 · ‎09-09-2024

- You don't tunnel an SSID towards a Radius server , the only thing that (can) happen(s) ; is that you
define 802.1x security with radius for the particular SSID/WLAN. Then you must make sure
that the radius server's defined on the WLC can be reached by the WLC over the networking infrastructure
'That's it'

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

kamz1 · ‎09-09-2024

Thanks @marce1000. Since the radius server is remote (over the Internet) is it possible defining an Ipsec Vpn directly from the WLC towards the radius server - or this can be best done by having the VPN on firewall level?

marce1000 · ‎09-09-2024

>...is it possible defining an Ipsec Vpn directly from the WLC towards the radius server - or this can be best done by having the VPN on firewall level?
- As you are already saying : you can't setup an ipsec vpn directly on the WLC. It must be done at perimeter equipment such as the firewall or a router (indeed). Afterwards you must test if the intended radius server becomes reachable from the WLC ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '