02-19-2020 05:55 AM - edited 07-05-2021 11:44 AM
Hi, I am trying to get my head round how a WLC works at a basic level and I just cannot figure it out. Can anyone please explain to me the following scenario we have:
An SSID named "Ipad_WLAN' which uses local MAC filtering so doesn't look at ISE at all.
An Interface Group called 'Students' that consists of 10 interfaces (including one called "STUDENT-MAIN").
In the WLANs > Edit 'Ipad_WLAN' section there is a field called 'Interface/Interface Group(G)' which is set to use the 'Students(G)'
Now can somebody please tell me, why use an interface group here (or what's the purpose) when the SSID always associates to the "STUDENT-MAIN" interface?
The same is also true on one of our other SSID's that goes through ISE. It uses the same interface group 'Students(G)' but associates to an interface that's not even in that group!
Please can someone explain this to frustrated noob. Many thanks.
Solved! Go to Solution.
02-19-2020 09:33 AM
In the WLC we always take the most specific config for a client. In this case, the interface or interface group on the WLAN is the least specific config as it would apply to every client that joins it. If, for instance, you had an AP group with this WLAN tied to a different interface the clients on that WLAN and using APs in that group would take the interface from that AP group. This is a more specific config because not only do the clients have to be on that WLAN but they also have to be using APs in that group. In your case, when using the local mac database, there is a config for the interface to use when you add the mac address to the WLC. This config would be the most specific because it is only tied to one client. In ISE, you can send back an avp with the VLAN you want them to be put on. If the WLAN has AAA override enabled the WLC will apply the VLAN sent back from ISE.
I hope this answers your questions. Let me know if it doesn't.
02-19-2020 09:33 AM
In the WLC we always take the most specific config for a client. In this case, the interface or interface group on the WLAN is the least specific config as it would apply to every client that joins it. If, for instance, you had an AP group with this WLAN tied to a different interface the clients on that WLAN and using APs in that group would take the interface from that AP group. This is a more specific config because not only do the clients have to be on that WLAN but they also have to be using APs in that group. In your case, when using the local mac database, there is a config for the interface to use when you add the mac address to the WLC. This config would be the most specific because it is only tied to one client. In ISE, you can send back an avp with the VLAN you want them to be put on. If the WLAN has AAA override enabled the WLC will apply the VLAN sent back from ISE.
I hope this answers your questions. Let me know if it doesn't.
02-19-2020 12:20 PM
02-19-2020 01:39 PM
When you added your mac with an interface it should take that interface. You would have had to re-authenticate as the interface would be applied then. Adding a mac address to the filter doesn't kick the client off and we wouldn't change the VLAN after the DHCP process or the client would get blackholed. Try removing it from the client database(config client deauth <client mac>). when it comes back on does it not take the interface you set in the mac filter?
Interface groups are used for a number of reasons. The most common is that there are a lot of users on one WLAN and the network admin didn't want to create a broadcast domain large enough to facilitate all the clients. To help with this problem you can create a group of interfaces(VLANs) and spread the client load out across all of them. Our docs say it is round-robin but actually, it is an algorithm runs against the mac address and the current load which is why clients might stay in the same interface every time they join.
Another reason for interface groups is redundancy. If we are unable to get clients an IP address on one interface we will mark it as dirty and not add any more clients to it for some time. This way if you had subnets with the gateway for each on a different router, and one router went down, all new clients would use the other one. Or if the DHCP pool on one interface filled up due to a network issue or just overutilization, we would start putting clients on the other interfaces in the group.
The third main reason would be that some devices have static IP addresses but they are in different subnets. All these clients would be able to connect to this WLAN with their static IPs and we would put them on the interface that matches the subnet they are in.
I'm not sure what you mean in the last part of question 2 but all interfaces on the WLC are tied to a specific VLAN and subnet so the interface they are put on would decide their VLAN/subnet.
02-20-2020 01:43 AM
02-20-2020 01:59 AM
02-20-2020 06:01 AM
02-20-2020 06:45 AM
02-20-2020 06:14 AM
The device would have timed out overnight so you shouldn't need to deauth it this morning. On your WLAN Advanced tab, on the right side, you should see a setting called NAC. Is this set to RADIUS or ISE NAC? When you setup mac auth, if aaa is still enabled, it will check the local database first and then go to a server on the global list. If the mac state is set to ISE NAC or RADIUS NAC it will not check the local database and only use the AAA servers.
In the CLI(you should start using this :) we can run some debugs to see where the client is getting the vlan from.
debug client <client mac address>
debug aaa all enable
debug disable-all --- This will stop all debugs. These will probably fill your buffer so you will need to log this to a text file somewhere.
Are you able to open a TAC case with Cisco? If so let me know the sr number once you open it and will will get on a webex with you to show you how to do this and discuss the findings.
02-20-2020 06:49 AM
02-21-2020 01:46 AM
02-21-2020 04:43 AM
The buffer I was talking about was the session buffer. It depends on what you use to get into the box. Putty is the easiest. When you open putty there is a place where you put in the IP address to ssh(default) to the WLC. Before you open that, look to the left and under session, you will see logging. Here change it to log "all session output", then browse to where you want it stored and give it a name. This will print all the output from the WLC ssh session to a text file. Then open the session and run the two debugs. then bring the client on for a fresh session. If the client can be found in the client table remove it with the command "config client deauth <client mac>". To stop all the debugs from running, use the command "debug disable-all".
02-24-2020 05:55 AM
02-24-2020 07:35 AM
02-24-2020 08:28 AM
Make sure you enable "Allow AAA override" on the advanced tab of the WLAN. I believe this is why we cant override the interface here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide