Radius server issue with WLAN controller

Unanswered Question
Sep 26th, 2010
User Badges:

Hi Friends,

I've have a following topology:

radius server<---connects to one port of--->Switch1<----Connects to WLAN controller(WLC1)

I've access point1(AP1) connected to another port of WLAN controller. AP1 is lightweighted AP associated with WLC1.

Issue is, whenever I try to connect AP1 wirelessly, Radius server sees Switch1 as the source for authentication instead of seeing WLAN controller.

Please advise why is it happening? Please advise the solution too...


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gavin han Sun, 09/26/2010 - 15:55
User Badges:

Correction: access point1(AP1) connected to another port of Switch1.

Roger Alderman Mon, 09/27/2010 - 02:05
User Badges:

Hi Gavin

Have you configured the RADIUS Server with a RADIUS Client that is the WLC?

You should normally use the management IP address of the WLC as the RADIUS Client. However I have seen issues where I have had to use the IP address of the logical interface of the WLC.



gavin han Mon, 09/27/2010 - 06:34
User Badges:

Yes, I've configured Radius server with WLC as radius client and used WLC Management IP address. but still it shows that msg received from switch1.

You mentioned to use ip address of the logical interface of the WLC. which Logical interface should I use?

Please advise.

Roger Alderman Tue, 09/28/2010 - 01:33
User Badges:

Hi Gavin

I have seen an issue when using a Microsoft IAS Server as the RADIUS Server. You would normally expect to see the WLC management IP address as the RADIUS client but in this instance the IAS Server was seeing the RADIUS requests coming with a source address that was a WLC logical interface address. Changing the RADIUS client address to this IP address solved the problem.

The logical interface address you would use would be the logical interface that is associated to the WLAN that is using the RADIUS Server for authentication.

I'm a bit mystified as to why your switch is sending RADIUS packets. Are you trunking between the WLC and the switch?

Are you able to PING from the WLC to the RADIUS Server?



gavin han Tue, 09/28/2010 - 04:14
User Badges:

yes, I'm trunking between the WLC and the switch and I'm able to ping radius server from WLC.

I've 3 vlans defined and hence 3 SSID, each SSID associated with each vlan.

so can you tel me which wlan logical interface ip address should be used.

Roger Alderman Wed, 09/29/2010 - 06:24
User Badges:

Hi Gavin

Lets assume you have an SSID called 'Test' and you want to use WPA-2 with AES and some form of EAP authentication (802.1x).

You will have created the SSID and as part of the configuration you will have either assigned it to the management interface or to a logical interface that you have previously created.

See the screenshots on the attached document.

My SSID is assigned to an interface called 'internal interface'. The logical interface called 'internal interface' is assigned to VLAN 26.

On the Security-Layer 2 tab of the WLAN configuration you will have set WPA-2, AES, and 802.1x

On the Security-AAA Servers you will have selected a RADIUS Server from the drop down list for Server 1. For this Server IP address to appear you will have previously defined a RADIUS Server under the Security-RADIUS Authentication Server menu option.

If you have done all this then it should work. I suspect you may have missed something somewhere.





This Discussion