cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1196
Views
3
Helpful
4
Replies

WLAN anchoring not working for BYOD and ISE?

Mats Nilson
Level 1
Level 1

Anyone set up 802.1x authenication (Radius/ISE) in lieu with wlan anchoring and got it working?

Looking in the docs doesn't give much clues why this fails, but web-auth and achoring works excellent on another wlan.

We need to move all BYOD devices to the datacenter for termination, so using anchoring would solve all our needs.

And yes, all interfaces and security settings are identical on all wlc's. The s/w is 7.0.116 and all controllers are 5508's

Isn't 802.1x and anchoring supported?

BTW - looking on the debug outputs it seems that the remote controllers do initiate radius auth instead of the anchor controller.

Any ideas?

Sincere Regards

/Mats

2 Accepted Solutions

Accepted Solutions

wififofum
Level 4
Level 4

Mats,

This may be "expected behavior." I believe the 802.1x process usually occurs on the controller handling the client association. Webauth might technically be a post-dot1x process (open auth), and therefore can be handed off to the remote controller. Have you moved an AP directly to the remote to verify dot1x works there?


Sent from Cisco Technical Support Android App

View solution in original post

You are correct, L2 security is done at the 'foreign' controller.  So authenticaiton has to happen prior to the user getting 'anchored'

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

4 Replies 4

Mats Nilson
Level 1
Level 1

I was hoping that I did't have to open a TAC case regarding this issue.

Since the setup is very simple - a SSID with wpa2/aes and 802.1x and tied to a interface present and active an well as specific radius server for auth on both remote and anchor controller. The tunnel is up between remote and anchor. The anchor also terminates an SSID with web auth that works fine. Why doesn't this work?

Best Regards

Mats Nilson

wififofum
Level 4
Level 4

Mats,

This may be "expected behavior." I believe the 802.1x process usually occurs on the controller handling the client association. Webauth might technically be a post-dot1x process (open auth), and therefore can be handed off to the remote controller. Have you moved an AP directly to the remote to verify dot1x works there?


Sent from Cisco Technical Support Android App

You are correct, L2 security is done at the 'foreign' controller.  So authenticaiton has to happen prior to the user getting 'anchored'

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks guys, I really appreciate your answers.

BTW we did see auth traffic comming fronm the "wrong" controller, but I interpreted this as the ancoring nor working.

I'll make an update when we have the soultion up an running

BR/Mats

Review Cisco Networking for a $25 gift card