cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4207
Views
5
Helpful
4
Replies

which interface/network is using for AAA RADIUS in 9800-CL WLC

Ufuk 57
Level 1
Level 1

hello together, I'm currently make a PoC with the 9800 controllers at the customer.

 

which way/interface/network is used for the raidus authentication at the 9800-cl?

 

I have two 9800-cl under vmware in APSSO mode and the interfaces are configured:

 

  • GigabitEthernet 1
    -> Device Management interface: map it to the out of band management network.
    -> assigned an IP to this interface, not switchport
    -> IP assignment was over the vmware OVA deploymend wizard 

  • GigabitEthernet 2
    -> Wireless Management interface: map it to your network to reach APs and services. Usually this interface is a trunk to carry multiple vlans
    -> it's a trunk port and the vlans are assigned 
    -> vlan interface 98 is my mgmt for wireless mgmt

  • GigabitEthernet 3
    '-> High Availability interface: map it a separated network for peer to peer communication for SSO
    -> its works.. 

 

I seen in the NPS server, the request comes from gig1-ip-address, then sometimes from vlan-interface-wireless-mgmt-ip, in ha szenario with the gig1-ip-address from the standby unit.

 

the default route is on the interface with vlan-wireless-mgmt-ip, also can I reach the nps server via ping 

 

Its possible to fix the "way" for RADIUS requests?

 

Thanks

 

 

2 Accepted Solutions

Accepted Solutions



I've the issue found, so I thinks is a little bug..

in my case, I've two interfaces with ip addresses.. one of them is assigned to Gig1 (out-of-band-mgmt, tip from deployment guide) and the other is on vlan 98 (thats for my AP-MGMT).

with the startup deployment wizard on vmware, gives there a question about routing for the out-of-band management.

I had entered 0.0.0.0 and this makes a route 0.0.0.0 0.0.0.0 etc. in the config fover the interface gig1.
but my main mgmt is int vlan 98, so I've second route entry set, with a lower metric.. the route over gig1 has a higher metric.

in this constellation works all fine until it happens a switch-failover of the wlcs.

-> at this time, the switchover clears my metrics and the wlc makes requests to the radius server over the gig1. my radius server does not know gig1-IP, so it will be denied and thats was my issue.

my workaround for now is to delete the second default route from gig1..

View solution in original post

rmfalconer
Level 1
Level 1

You could also put Gig1 in a separate vrf so that it can have its own routing table. All the management traffic, tacacs/snmp/ntp/ssl/ssh is configured to use that interface so it's separate from wireless traffic. That keeps you from having multiple default routes in the global table.

You can also define the radius source interface with the entry 'ip radius source-interface xxx'. 

View solution in original post

4 Replies 4

Hi ,

 

On the WLAN which you have configured ser whether the *Radius server overwrite interface* is enabled or disabled.

If that is enabled the radius traffic will be via the interface IP address , which is mapped to that WLAN. For an example: if you have configured vlan 98 with IP 10.1.10.10 for that specific WLAN. Then you have enabled the Radius server overwrite interface option. In this scenario the interface IP 10.1.10.10 will be the NAS IP address.

 

If that is disabled then the traffic will be through the management interface of the WLC

 

Refer : Radius server overwrite interface

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

hmm.. sound interesting and is a nice tip.

As soon as I am at the customer, I will test it

under Policy Profile > the option "Allow AAA Override" is not set.

the only one thing is, under Policy Profile > AAA > Policy Name > is a policy set.

In this policy in Option 1 is normaly only "System Name" set. In my case is in this option "SSID" set.

maybe thats my problem?!



I've the issue found, so I thinks is a little bug..

in my case, I've two interfaces with ip addresses.. one of them is assigned to Gig1 (out-of-band-mgmt, tip from deployment guide) and the other is on vlan 98 (thats for my AP-MGMT).

with the startup deployment wizard on vmware, gives there a question about routing for the out-of-band management.

I had entered 0.0.0.0 and this makes a route 0.0.0.0 0.0.0.0 etc. in the config fover the interface gig1.
but my main mgmt is int vlan 98, so I've second route entry set, with a lower metric.. the route over gig1 has a higher metric.

in this constellation works all fine until it happens a switch-failover of the wlcs.

-> at this time, the switchover clears my metrics and the wlc makes requests to the radius server over the gig1. my radius server does not know gig1-IP, so it will be denied and thats was my issue.

my workaround for now is to delete the second default route from gig1..

rmfalconer
Level 1
Level 1

You could also put Gig1 in a separate vrf so that it can have its own routing table. All the management traffic, tacacs/snmp/ntp/ssl/ssh is configured to use that interface so it's separate from wireless traffic. That keeps you from having multiple default routes in the global table.

You can also define the radius source interface with the entry 'ip radius source-interface xxx'. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: