Integrating a Wired 802.1X Network With a Wireless 802.1X Network

Answered Question
Nov 27th, 2007

Hi All

We currently have a Wired 802.1x network using Cisco 3500 and 2900 series switches.

We are adding wireless network using LWAPP and a 2106 WLC. The issue I have is that I cannot restrict users logging into different SSID's.

So on the Wired network User A logs on and is placed on VLAN A and User B goes on VLAN B. On the Wireless side I assign each SSID to a certain VLAN but I am finding that the WLC2106 is not reading the VLAN info(it makes sense seeing as it does not use VTP Trunks). So I configured a NonIP NAR on the ACS server but I found that if I apply this to VLAN A only UserA is allowed to access the SSID A but it breaks the Wired 802.1X(wired does not send the DNIS attribute, or if it does I do not know what it is). If I add a second condition with all * then allow if either condition is met I again open up WLan A to all users authenticating.

Right now the only way I can see this working is if I have two separate Radius servers(one for Wireless and one for Wired) or if Cisco makes a Controller that allows trunking and is smart enough to read the VLAN settings on the Wired side.

Does anyone have any suggestions?

Thanks

I have this problem too.
0 votes
Correct Answer by jafrazie about 9 years 1 week ago

Is this what you need?

<http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml>

Not sure what you're trying to do, other than needing VLAN-Assignment on your 2106, which should be supported.

Hope this helps,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
blittrell Tue, 11/27/2007 - 17:19

I guess I made it more difficult then it was:)

I was assuming that because the 2106 could not do VTP it would not know what vlan names mapped to what vlan numbers, as well as my ignorance on how the Wireless assigns vlans/access.

I created a new SSID with the Interface placed on the Guest network then did the AAA overide and that allowed me to restrict access. I am sure that link you sent probably described it, I just thought it was going to be more difficult then it ended up being:)

Thanks

Actions

This Discussion

 

 

Trending Topics - Security & Network