I'm trying to setup WLC5508 with TACACS for management authentication but seems I've hit an issue. Let me describe my configuration a bit first:
- I have one management interface (IP Y.Y.Y.Y) which acts also for AP management on VLAN 200.
- A couple of other dynamic interfaces one of the untagged with IP X.X.X.X .
- My AAA (TACACS/RADIUS) servers are on this untagged VLAN (IPs in the subnet X.X.X.0 )
User authentication is working fine, the WLC communicates with the AAA servers just fine for user authentication, but I noticed that using the same servers for management authentication doesn't work with an error from the WLC side that the servers are unavailable.
After some sniffing I've seen that the WLC tries to contact the AAA servers over the management interface (VLAN 200) BUT using the X.X.X.X IP and not the Y.Y.Y.Y IP ! Of course this will go nowhere!
This is quite a strange behaviour as I understand, I would expect the controller to either use the management interface using the Y.Y.Y.Y IP to reach the AAA servers or use the dynamic interface with the X.X.X.X IP, but no this mixed thing especially since this only happens for management authentication while user authentication works.
Has anyone else noticed this behaviour ?
WLC software version is 22.214.171.124
" It is important to avoid configuring a dynamic interface in the same sub network as a server that has to be reachable by the controller CPU, for example a RADIUS server, as it might cause asymmetric routing issues."
this is the second blurb below the CPU initated traffic.
As I said, it shouldn't be working for user auth either. If the WLC has a dynamic interface in the same subnet as a server, it uses that interface to initiate traffic, instead of the management interface. So unless you configured the RADIUS portion with the dynamic interface IP, and issued config network-mgmt-via-dynamic-interface enable, the WLC should drop any request from the server on the dynamic interface.
Please remember to rate useful posts, and mark questions as answered