- Silver, 250 points or more
I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.
This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:
- clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
- clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller
WLC models are 5508 and current code is 18.104.22.168 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?
Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.
Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.
Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.
Sent from Cisco Technical Support iPhone App