Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1195
Views
3
Helpful
4
Replies

WLAN anchoring not working for BYOD and ISE?

Go to solution
Mats Nilson
Level 1
Level 1

‎10-25-2012 01:06 AM - edited ‎07-03-2021 10:55 PM

Anyone set up 802.1x authenication (Radius/ISE) in lieu with wlan anchoring and got it working?

Looking in the docs doesn't give much clues why this fails, but web-auth and achoring works excellent on another wlan.

We need to move all BYOD devices to the datacenter for termination, so using anchoring would solve all our needs.

And yes, all interfaces and security settings are identical on all wlc's. The s/w is 7.0.116 and all controllers are 5508's

Isn't 802.1x and anchoring supported?

BTW - looking on the debug outputs it seems that the remote controllers do initiate radius auth instead of the anchor controller.

Any ideas?

Sincere Regards

/Mats

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
wififofum
Level 4
Level 4

‎10-31-2012 04:16 AM

Mats,

This may be "expected behavior." I believe the 802.1x process usually occurs on the controller handling the client association. Webauth might technically be a post-dot1x process (open auth), and therefore can be handed off to the remote controller. Have you moved an AP directly to the remote to verify dot1x works there?


Sent from Cisco Technical Support Android App

View solution in original post

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to wififofum

‎10-31-2012 07:15 AM

You are correct, L2 security is done at the 'foreign' controller.  So authenticaiton has to happen prior to the user getting 'anchored'

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

4 Replies 4

Go to solution
Mats Nilson
Level 1
Level 1

‎10-30-2012 02:59 AM

I was hoping that I did't have to open a TAC case regarding this issue.

Since the setup is very simple - a SSID with wpa2/aes and 802.1x and tied to a interface present and active an well as specific radius server for auth on both remote and anchor controller. The tunnel is up between remote and anchor. The anchor also terminates an SSID with web auth that works fine. Why doesn't this work?

Best Regards

Mats Nilson

0 Helpful

Go to solution
wififofum
Level 4
Level 4

‎10-31-2012 04:16 AM

Mats,

This may be "expected behavior." I believe the 802.1x process usually occurs on the controller handling the client association. Webauth might technically be a post-dot1x process (open auth), and therefore can be handed off to the remote controller. Have you moved an AP directly to the remote to verify dot1x works there?


Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to wififofum

‎10-31-2012 07:15 AM

You are correct, L2 security is done at the 'foreign' controller.  So authenticaiton has to happen prior to the user getting 'anchored'

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Go to solution
Mats Nilson
Level 1
Level 1
In response to wififofum

‎11-01-2012 02:22 AM

Thanks guys, I really appreciate your answers.

BTW we did see auth traffic comming fronm the "wrong" controller, but I interpreted this as the ancoring nor working.

I'll make an update when we have the soultion up an running

BR/Mats

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card