05-24-2019 06:39 AM - edited 07-05-2021 10:27 AM
hello together, I'm currently make a PoC with the 9800 controllers at the customer.
which way/interface/network is used for the raidus authentication at the 9800-cl?
I have two 9800-cl under vmware in APSSO mode and the interfaces are configured:
GigabitEthernet 1
-> Device Management interface: map it to the out of band management network.
-> assigned an IP to this interface, not switchport
-> IP assignment was over the vmware OVA deploymend wizard
GigabitEthernet 2
-> Wireless Management interface: map it to your network to reach APs and services. Usually this interface is a trunk to carry multiple vlans
-> it's a trunk port and the vlans are assigned
-> vlan interface 98 is my mgmt for wireless mgmt
GigabitEthernet 3
'-> High Availability interface: map it a separated network for peer to peer communication for SSO
-> its works..
I seen in the NPS server, the request comes from gig1-ip-address, then sometimes from vlan-interface-wireless-mgmt-ip, in ha szenario with the gig1-ip-address from the standby unit.
the default route is on the interface with vlan-wireless-mgmt-ip, also can I reach the nps server via ping
Its possible to fix the "way" for RADIUS requests?
Thanks
Solved! Go to Solution.
05-28-2019 07:14 AM
10-04-2019 08:35 AM
You could also put Gig1 in a separate vrf so that it can have its own routing table. All the management traffic, tacacs/snmp/ntp/ssl/ssh is configured to use that interface so it's separate from wireless traffic. That keeps you from having multiple default routes in the global table.
You can also define the radius source interface with the entry 'ip radius source-interface xxx'.
05-24-2019 12:45 PM
Hi ,
On the WLAN which you have configured ser whether the *Radius server overwrite interface* is enabled or disabled.
If that is enabled the radius traffic will be via the interface IP address , which is mapped to that WLAN. For an example: if you have configured vlan 98 with IP 10.1.10.10 for that specific WLAN. Then you have enabled the Radius server overwrite interface option. In this scenario the interface IP 10.1.10.10 will be the NAS IP address.
If that is disabled then the traffic will be through the management interface of the WLC
Refer : Radius server overwrite interface
05-27-2019 05:32 AM
05-28-2019 07:14 AM
10-04-2019 08:35 AM
You could also put Gig1 in a separate vrf so that it can have its own routing table. All the management traffic, tacacs/snmp/ntp/ssl/ssh is configured to use that interface so it's separate from wireless traffic. That keeps you from having multiple default routes in the global table.
You can also define the radius source interface with the entry 'ip radius source-interface xxx'.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide