Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
0
Helpful
4
Replies

WLC Authentication Routing

billsayegh
Level 1
Level 1

‎03-13-2011 09:56 PM - edited ‎07-03-2021 07:56 PM

Hi

We have a requirement to provide 802.1X certificate authentication for internal users and web authentication to guest users.

The certificate server will be on an internal trusted network where the internal employee get mapped to the internal VLAN.

Guest users will map to an untrusted VLAN once authenticated using web auth then will be able to access the Internet.

My question is that I would like the internal authentication requirest to go to the internal server and route via an internal

trusted VLAN and the guest user web auth authentication to route via the untrusted VLAN to the guest server on the

untrusted network.

Can anyone confirm if this is possible or is all authentication sourced from the management interface IP address.

Appreciate any help on this.

Labels:
0 Helpful
4 Replies 4

Nicolas Darchis
Cisco Employee
Cisco Employee

‎03-13-2011 11:40 PM

Authentication requests are sent from the management interface always.

I'm not sure if there is any point in doing what you are looking for. The guest user authentication is an encrypted (chap) authentication request going to your radius server. What is dangerous about putting that in your internal VLAN ? It's the WLC sending the radius request, not the client. The only traffic that the client will ever be able to send is through your untrusted vlan.

Nicolas

0 Helpful

billsayegh
Level 1
Level 1
In response to Nicolas Darchis

‎03-14-2011 04:04 PM

Hi

Thanks for your response, the guest authentication server will be sitting in a custom hosted environment which is physically in a different location on an unstrusted environment which is accessed via a different VPN than the customers internal VPN.

Can we route the authentication traffic via different VLAN based on which authentication server we want to use for a particular SSID.

If authentication request are only sent on a single VLAN IE the WLC management VLAN then we would need to do some policy based routing to direct the traffic to each VPN, not ideal.

Regards
Bill

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to billsayegh

‎03-15-2011 12:57 AM

As you are stating, you need routing configuration on the infrastructure. The WLC will send out through the management interface to the radius server defined in the SSID.

0 Helpful

billsayegh
Level 1
Level 1
In response to Nicolas Darchis

‎03-15-2011 03:42 PM

Hi

Thanks for your reply, I think you have answered the question that all radius authentication is sent out on the management interface, it is then up to the network to direct the traffic to where it needs to go.

Regards

Bill CCIE 3906

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card