Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10178
Views
5
Helpful
11
Replies

RADIUS query with different interface than Management

Go to solution
patrick.kofler
Level 1
Level 1

‎09-13-2011 12:02 AM - edited ‎07-03-2021 08:45 PM

Hi there,

I am currently setting up a wireless controller which is to service several SSIDs which are mapped to physically separated LANs.

So far there has been no problem in doing the config.

However I discovered later that for each SSID a separate RADIUS server has to be queried, which are also in physically separated networks and where no routing exists/will exist.

Now my question is, if there is any possibility to somehow tell the WLC to use a different source interface in order to enable the usage of

RADIUS Server 1 on Network A for SSID A and to use

RADIUS Server 2 on Network B for SSID B.

Regards,

Patrick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
patrick.kofler
Level 1
Level 1
In response to patrick.kofler

‎10-24-2011 07:42 AM

I just stumbled upon what might be the solution in this case.

Under WLAN Edit page for a SSID under Security -> AAA Servers there is a checkbox called

"Radius Server Overwrite interface".

All RADIUS requests are sent out on the dynamic-interface this SSID is mapped to.

I'll test this and will get back with the results.

View solution in original post

11 Replies 11

Go to solution
Surendra BG
Cisco Employee
Cisco Employee

‎09-13-2011 12:11 AM

Go to WLAN Edit page >> Layer 2 >> AAA servers >> Radius Server Priority >> Selct wat ever Radius Server u wanna map it to to that WLAN.

Please dont forge tto rate the usefull posts!!

Regards

Surendra

Regards
Surendra BG
0 Helpful

Go to solution
patrick.kofler
Level 1
Level 1
In response to Surendra BG

‎09-13-2011 12:18 AM

Hi Surendra,

the selection of the RADIUS server is not the problem. My problem is the source interface the WLC takes in order to send the query to the server. It is always the Management interface.

If I would configure the management interface with an IP from Network A it will not be able to send the query to the RADIUS server in Network B since the networks themselves cannot see each other.

I would like to know if there is a somehow a possibility to allow a different RADIUS source interface e.g. allow a dynamic interface.

Regards,

Patrick

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to patrick.kofler

‎09-13-2011 12:59 AM

It's way past my bed time. But wanted to throw this out there and maybe you could test it .. You can add routes in the wlc. But you would need a static coming back ...

I dont see any other way around it ... Cause u are right ... Wlc uses the management address ...

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
patrick.kofler
Level 1
Level 1
In response to George Stefanick

‎09-13-2011 01:34 AM

I already considered the routing, when we ordered the WLC.

I should have added that it is a 2500 series controller, sorry. They don't support the routing feature.

Funnily when connecting to CLI I can issue the command show route summary

To be honest I cannot understand, why it is not implemented.

0 Helpful

Go to solution
patrick.kofler
Level 1
Level 1
In response to patrick.kofler

‎10-24-2011 07:42 AM

I just stumbled upon what might be the solution in this case.

Under WLAN Edit page for a SSID under Security -> AAA Servers there is a checkbox called

"Radius Server Overwrite interface".

All RADIUS requests are sent out on the dynamic-interface this SSID is mapped to.

I'll test this and will get back with the results.

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to patrick.kofler

‎10-24-2011 09:27 AM

What code are you on ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to patrick.kofler

‎10-24-2011 09:26 AM

I am not all that surpirsed becuase the smaller WLCs lack some features, but I am surprised it doesnt support routing! LOL

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
patrick.kofler
Level 1
Level 1
In response to George Stefanick

‎10-25-2011 01:15 AM

I tested the feature and authentication requests via the dynamic-interface were successful when enabling this feature.

@George: We run the latest code 7.0.116.0, which must be the first where this feature got introduced. I don't recall seeing it in 7.0.98.0.

However the explanation of this feature is found in the documentation of WCS. Not a single mention in the WLC documentation.

Regarding the routing feature. I have tested it also on a 5508 WLC. As soon as you try to define a gateway, which is not in the service-port subnet you'll get an error, which is effectively the same problem.

But as the "Radius Server Overwrite interface" feature does exactly what I needed, this issue is solved.

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to patrick.kofler

‎10-25-2011 07:42 AM

The route commands on the WLC are for forcing traffic out of the service port.  I wouldn't generally recommend using these unless you absolutley had to force traffic out the service-port to get OOB management working.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Stephen Rodriguez

‎10-25-2011 08:25 AM

Is that right? So any static routes added in the WLC will go out the service port ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to George Stefanick

‎10-25-2011 08:37 AM

Yes, sir.

Command Referrence

It's been that way, as long as I can remember, which goes back to 3.2...god I feel old

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card