RADIUS query with different interface than Management

Answered Question
Sep 13th, 2011

Hi there,

I am currently setting up a wireless controller which is to service several SSIDs which are mapped to physically separated LANs.

So far there has been no problem in doing the config.

However I discovered later that for each SSID a separate RADIUS server has to be queried, which are also in physically separated networks and where no routing exists/will exist.

Now my question is, if there is any possibility to somehow tell the WLC to use a different source interface in order to enable the usage of

RADIUS Server 1 on Network A for SSID A and to use

RADIUS Server 2 on Network B for SSID B.

Regards,

Patrick

I have this problem too.
0 votes
Correct Answer by patrick.kofler about 2 years 5 months ago

I just stumbled upon what might be the solution in this case.

Under WLAN Edit page for a SSID under Security -> AAA Servers there is a checkbox called

"Radius Server Overwrite interface".

All RADIUS requests are sent out on the dynamic-interface this SSID is mapped to.

I'll test this and will get back with the results.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
surbg Tue, 09/13/2011 - 00:11

Go to WLAN Edit page >> Layer 2 >> AAA servers >> Radius Server Priority >> Selct wat ever Radius Server u wanna map it to to that WLAN.

Please dont forge tto rate the usefull posts!!

Regards

Surendra

patrick.kofler Tue, 09/13/2011 - 00:18

Hi Surendra,

the selection of the RADIUS server is not the problem. My problem is the source interface the WLC takes in order to send the query to the server. It is always the Management interface.

If I would configure the management interface with an IP from Network A it will not be able to send the query to the RADIUS server in Network B since the networks themselves cannot see each other.

I would like to know if there is a somehow a possibility to allow a different RADIUS source interface e.g. allow a dynamic interface.

Regards,

Patrick

George Stefanick Tue, 09/13/2011 - 00:59

It's way past my bed time. But wanted to throw this out there and maybe you could test it .. You can add routes in the wlc. But you would need a static coming back ...

I dont see any other way around it ... Cause u are right ... Wlc uses the management address ...

Sent from Cisco Technical Support iPad App

patrick.kofler Tue, 09/13/2011 - 01:34

I already considered the routing, when we ordered the WLC.

I should have added that it is a 2500 series controller, sorry. They don't support the routing feature.

Funnily when connecting to CLI I can issue the command show route summary

To be honest I cannot understand, why it is not implemented.

Correct Answer
patrick.kofler Mon, 10/24/2011 - 07:42

I just stumbled upon what might be the solution in this case.

Under WLAN Edit page for a SSID under Security -> AAA Servers there is a checkbox called

"Radius Server Overwrite interface".

All RADIUS requests are sent out on the dynamic-interface this SSID is mapped to.

I'll test this and will get back with the results.

George Stefanick Mon, 10/24/2011 - 09:26

I am not all that surpirsed becuase the smaller WLCs lack some features, but I am surprised it doesnt support routing! LOL

patrick.kofler Tue, 10/25/2011 - 01:15

I tested the feature and authentication requests via the dynamic-interface were successful when enabling this feature.

@George: We run the latest code 7.0.116.0, which must be the first where this feature got introduced. I don't recall seeing it in 7.0.98.0.

However the explanation of this feature is found in the documentation of WCS. Not a single mention in the WLC documentation.

Regarding the routing feature. I have tested it also on a 5508 WLC. As soon as you try to define a gateway, which is not in the service-port subnet you'll get an error, which is effectively the same problem.

But as the "Radius Server Overwrite interface" feature does exactly what I needed, this issue is solved.

Stephen Rodriguez Tue, 10/25/2011 - 07:42

The route commands on the WLC are for forcing traffic out of the service port.  I wouldn't generally recommend using these unless you absolutley had to force traffic out the service-port to get OOB management working.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

Stephen Rodriguez Tue, 10/25/2011 - 08:37

Yes, sir.

Command Referrence

It's been that way, as long as I can remember, which goes back to 3.2...god I feel old

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

Actions

Login or Register to take actions

This Discussion

Posted September 13, 2011 at 12:02 AM
Stats:
Replies:11 Avg. Rating:
Views:2684 Votes:0
Shares:0

Related Content

Discussions Leaderboard