Solved: Force the interface of WLC stand for NAS IP?

Majid Jalinousi · ‎06-25-2016

Hi buddies,

Is it possible to set a secondary IP address over management port of WLC, because I need to register our WLC in an AAA server with an IP address except of available IP address.

By the way our WLC is 5508 and our management port is an interface Vlan.

At the end I need to force my NAS-IP be this IP address newly has been set on the interface. is it possible?

I would be very appreciate for any kind of help.

BR,

Francesco Molino · ‎06-30-2016

I'm having a headhache :-) This is normal that you see the wlan interface because it's on the same subnet as the radius server.

The wlc shows up its management ip address unless the radius server is on the same subnet of a dynamic interface (that's your case). The 2nd exception is if you check the box radius overwrite interface under the security wlan config.

if you authentify through another ssid it will shows up always the same ip.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-25-2016

Hi

aaa source interface on wlc is done through the management interface except if the aaa is on the same vlan as a dynamic interface.

However the NAS-IP is always (default setup) the management interface. On your wlc you have only 1 interface named management and this will be your NAS-IP.

You can change it by activating Radius Server Overwrite interface on a per Wlan basis.

Here a Cisco documentation:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_01100010.html

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01100111.html

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Majid Jalinousi · ‎06-27-2016

Thanks for your help,

Something has confused me is, why it's only possible to route from service-port?

We configured the service-port of WLC on the same Vlan with AAA server, as I understood for forcing the WLC to route toward AAA server from management interface we need to isolate the service-port Ip address and it's Vlan. does it?

for second question if I want to change Ip address of management interface then how should I do? because this interface is AP manager also, after changing it's IP address it's possible the APs can't see the WLC. does it need to any special consideration?

Francesco Molino · ‎06-27-2016

Hi

Service-port is usually for out of band management. You can eventually use it for aaa requests. I've never done it. Usually very few people use this service port.

When you change your management interface ip addresses, you will loose AP. What is important is that you provide the new IP on the dhcp option for your APs and when they will reboot they'll get access to the new WLC.

Or you can change your management interface and create a new one as AP manager with the same IP as you have right now on the management (before you change). In any case, APs will reboot and register again to the wlc.

Hope this is clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Majid Jalinousi · ‎06-28-2016

Thank you again,

I just want to sure if I change the service-port IP address to a isolated network like 192.168.1.0/24 without any route toward our AAA server on this port, would the WLC trying to register itself in AAA server with Management IP address? you know will the NAS-IP change to the IP address of management port?

BR,

Francesco Molino · ‎06-28-2016

Hi

I've never used the service port for AAA, but I assume that if the service port IP is in the same AAA subnet it would pass all AAA requests through this interface.

You need to test it before and right now I don't have any wlc available in lab.

On Cisco documentation it's written clearly that NAS IP will be management interface.

Could you test it and let me know?

If i can get a wlc for test I will let you know.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Majid Jalinousi · ‎06-28-2016

Now the service-port of our WLC is in the same subnet of AAA and all the AAA related traffic is sending from this port to AAA server.

But I remember before launching the service-port all the traffic were sent out form management interface.

Tonight I'm gonna want to isolate the service-port in an isolated subnet like 192.168.x.x so it won't be able to see AAA server. I'm not sure after this change the AAA-related traffic gonna go from management port toward AAA server or no, but I will test it and I'll inform you the result.

BR,

Francesco Molino · ‎06-28-2016

Normally if service port is not on same subnet as aaa, all traffic will be forwarded through management interface except if a route has been setup on wlc to reach aaa server from service port.

Please let me know

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Majid Jalinousi · ‎06-29-2016

We've done it and you are right, but the only thing should be noticed is, by each interface that is assigned to the WLAN, the AAA request send to AAA server.

You know we've created a new interface vlan with an IP address aside from management ip address and assigned it to our Wlan, then at the AAA server all the received AAA requests come from this IP address as NAS-IP.

what do you think?

BR,

Francesco Molino · ‎06-29-2016

The new interface you've created is the new management interface you were talking about?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Majid Jalinousi · ‎06-29-2016

No, it's is an interface that before has been created an assigned to the WLAN.

Because service-port was up all the AAA requests send from service-port IP address, but after disabling the service-port all the AAA requests by default didn't send from management interface but from mentioned interface that had been assigned to this WLAN.

Francesco Molino · ‎06-29-2016

Can you share the screenshot of the wlan config: wlan->security->aaa servers.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Majid Jalinousi · ‎06-30-2016

you can find it in the attachment.

by the way the ip address of new interface is 192.168.210.55 and I needed to add this IP address as the autheticator in the AAA server.

Do you any idea? I would very appreciate to share with me.

Francesco Molino · ‎06-30-2016

Radius overwrite interface is not checked and normally it has to show up on your radius with its management interface.

Could you share a screenshot of the radius page on the security tab Please?

Could you also give the screenshot of the interface page?

I can't explain now why you get the wlan interface showing up in the aaa server.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Majid Jalinousi · ‎06-30-2016

You can find the attachment for both pages you request for.