WLC5508 TACACS communication from the wrong interface/IP

Answered Question
Aug 9th, 2012

Hello,

I'm trying to setup WLC5508 with TACACS for management authentication but seems I've hit an issue. Let me describe my configuration a bit first:

- I have one management interface (IP Y.Y.Y.Y) which acts also for AP management on VLAN 200.

- A couple of other dynamic interfaces one of the untagged with IP X.X.X.X .

- My AAA (TACACS/RADIUS) servers are on this untagged VLAN (IPs in the subnet X.X.X.0 )

User authentication is working fine, the WLC communicates with the AAA servers just fine for user authentication, but I noticed that using the same servers for management authentication doesn't work with an error from the WLC side that the servers are unavailable.

After some sniffing I've seen that the WLC tries to contact the AAA servers over the management interface (VLAN 200) BUT using the X.X.X.X IP and not the Y.Y.Y.Y IP ! Of course this will go nowhere!

This is quite a strange behaviour as I understand, I would expect the controller to either use the management interface using the Y.Y.Y.Y IP to reach the AAA servers or use the dynamic interface with the X.X.X.X IP, but no this mixed thing especially since this only happens for management authentication while user authentication works.

Has anyone else noticed this behaviour ? 

WLC software version is 7.2.110.0

Thanks

I have this problem too.
0 votes
Correct Answer by Stephen Rodriguez about 1 year 8 months ago

" It is  important to avoid configuring a dynamic interface in the same sub  network as a server that has to be reachable by the controller CPU, for  example a RADIUS server, as it might cause asymmetric routing issues."

this is the second blurb below the CPU initated traffic.

As I said, it shouldn't be working for user auth either.  If the WLC has a dynamic interface in the same subnet as a server, it uses that interface to initiate traffic, instead of the management interface.  So unless you configured the RADIUS portion with the dynamic interface IP, and issued config network-mgmt-via-dynamic-interface enable, the WLC should drop any request from the server on the dynamic interface.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Stephen Rodriguez Thu, 08/09/2012 - 04:05

Please correct me if I'm wrong.

Your TACACS server is in the subnet of one of the dynamic interface. Is that correct?

Steve

Sent from Cisco Technical Support iPhone App

Stephen Rodriguez Thu, 08/09/2012 - 04:33

Ok then the admin is working as it should and the user is 'wrong'.

There should be no server located in a dynamic VLAN as the WLC will try to send the request with the IP of that subnet.

TACACS/radius/DHCP etc should not be configured in a dynamic interface. This is per the best practices guide.

Steve

Sent from Cisco Technical Support iPhone App

g.billios Thu, 08/09/2012 - 04:35

Steve, then why does it work just fine for user authentication ? There are the same AAA servers !

BTW, best practices configuration guide mentions the following:

Per design, most of the CPU initiated traffic is  sent from the management address in the controller. For example, SNMP  traps, RADIUS authentication requests, multicast forwarding, and so  forth.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml#topic2

Correct Answer
Stephen Rodriguez Thu, 08/09/2012 - 05:32

" It is  important to avoid configuring a dynamic interface in the same sub  network as a server that has to be reachable by the controller CPU, for  example a RADIUS server, as it might cause asymmetric routing issues."

this is the second blurb below the CPU initated traffic.

As I said, it shouldn't be working for user auth either.  If the WLC has a dynamic interface in the same subnet as a server, it uses that interface to initiate traffic, instead of the management interface.  So unless you configured the RADIUS portion with the dynamic interface IP, and issued config network-mgmt-via-dynamic-interface enable, the WLC should drop any request from the server on the dynamic interface.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

g.billios Thu, 08/09/2012 - 05:46

This seems to me like a contradictory statement from cisco. It is quite crazy to work like this for one type of authentication but work differently for another.

Also you write: "If the WLC has a dynamic interface in the same subnet as a server, it  uses that interface to initiate traffic, instead of the management  interface"

But in my case it uses NOT the dynamic interface but the management interface with the dynamic interface's IP!!!

Also, I'm not sure though what you mean "configured the RADIUS portion with the dynamic interface". The AAA server's IPs are on the same subnet as the dynamic interface and "Mgmt Via Dynamic Interface" is disabled.

For me the bottom line is that this is crazy behavior and I'm sure you agree with me here. I'm also afraid that I must raise a TAC support case with this.

Stephen Rodriguez Thu, 08/09/2012 - 05:48

Yes I agree that it is acting funny.  But TAC (more than likely) will tell you to move the TACACS server off of the dynamic interface, or remove the dynamic interface.

Technically by having the TACACS server on a dynamic interfaces subnet, this is a 'misconfiguration'.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

Actions

Login or Register to take actions

This Discussion

Posted August 9, 2012 at 12:01 AM
Stats:
Replies:8 Avg. Rating:5
Views:506 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard