Wism client authentication

stuart.reid · ‎08-21-2011

Hi,

Does anyone know if it is possible to change the source address for aaa authentication requests leaving Wism to the server ? I need to have these requests leave from an address not on the same subnet as the management or ap management interfaces.

Stu

Stephen Rodriguez · ‎08-21-2011

So far as I know there is know way to do this. All requests will come from the management address. But, what are you looking to do that you need it from another address?

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

stuart.reid · ‎08-22-2011

Hi Stephan, Thanks for your consideration in this.

We have to monitor and manage the WIFI network on a particular subnet due to global firewall rules and routing. At a particular site, client authentication is by X.509 certificates installed on the client laptops and we need to authenticate on a server from a different subnet from the Management network.

So I guess we want to access the WLC on two different subnets, one for pure management and only management, the other for user traffic and user authentication, but I see Cisco recommend the AP manager and Management IP be on the same subnet, so I need to find is there a way to have a second routed interface otherthan the management or ap manager interfaces.

Stu

Stephen Rodriguez · ‎08-22-2011

So what you need to do is create a dynamic interface for the VLAN you want the clients on. This will ut them I. A different VLAN than the management, and allow you to apply rules for what they can access.

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

stuart.reid · ‎08-22-2011

Hi Again Stephan,

Isn’t the first hop for the client authentication sourced from the Management Interface , ie the client authentication is received on the WLC on the dynamic interface, but then authentication request is sent out of the Management Interface towards the authentication server ?

Stu

stuart.reid · ‎08-22-2011

I have some more concise wording …

“The management interface is the default interface for in-band management of the controller and

connectivity to enterprise services such as AAA server. If the service port is in use, the management

interface must be on a different subnet than the service port.”

From :

Configuring a Cisco Wireless Services Module

and Wireless Control System

Is it possible to change the default interface used for AAA to a different interface ? So I can have a separate layer 3 interface used to connect to the enterprise ?

Stu

Stephen Rodriguez · ‎08-22-2011

No. The wlc will always use the mgmt interface for the AAA packets. But this does not mean you can't have a separate dynamic interface for the users. If you absolutely have to physically connect to different ports, this can be done as well, you just can't use LAG and need to specify which port the Interrace is going to be mapped to. Otherwise you just need to create dynamic interfaces for the users and allow those clans on the port from the switch

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

stuart.reid · ‎08-23-2011

This seems like the solution we require, thankyou.

STu