cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1317
Views
4
Helpful
11
Replies

Does WLC support radius servers on multiple subnets?

bwillougbhy
Level 1
Level 1

I have been trying to set up a radius server on a WLC controller. If the radius server's IP address is on the same subnet as the management (non-vlan) interface then radius works fine. I created a new VLAN interface in the controller on a 10.0.203.0 subnet. I added a radius server on the 10.0.203.0 subnet and authentication fails. The request never makes it to the radius server. Basically I am just trying to have one SSID connect to one radius server on subnet A and a second SSID connect to a different SSID on subnet B, can this be done? If so are there any tricks? I can ping the radius servers ip from the controller. If I turn 802.1x off then I can connect just fine. All settings on the Cleint and Radius servers are correct.

Thanks for any help in advance

11 Replies 11

ankbhasi
Cisco Employee
Cisco Employee

Hi Friend,

You can have multiple radius servers configured on controller and you can select which radius server to authenticate per WLAN wise.

But I believe there is no requirement of that and you can have one radius server configured on controller.

Create multiple WLAN and map it to different interface configurd on cotroller where the interfaces will be mapped to different vlans.

Only thing you need to take care of is to have routing done on your infrastructure network between all your interface configured on controller and the subnet on which your radius server exist.

Also make sure the switchport on which controller is connected is configured as trunk.

If something is not clear please comeback with your doubt and if possible attach your running config from controller and port config of switchport on which controller is connected.

HTH

Ankur

*Pls rate all helpfull post

Thank you Ankur for your reply. From what you have said I believe all of my settings in the WLC controller are correct. I believe the problem is in the switch infrastructure. Please see attached diagram of what I am trying to do. I do not have the WLC connected to a vlan aware switch. I am trying to use a standard 1GB switch to connect the controller. I then have a small cisco 871 router connected to the switch in which I am trying to separate each SSID / Vlan into the proper place. Since there are no VLAN switches on the network can't I just use the router as a switch? From my understanding when a wireless client connects they are then assigned to a vlan by the controller then that vlan is then dumped back to the switch. Cant I just "pick up" the vlan using the 871 router and route it to the proper network? Sorry all of this VLAN stuff is new to me.

Thanks in advance...

Hi Friend,

I believe it should pick up VLAN from your 871 router though I have never worked on this router can you confirm if you do "sh vlan" on your router what does it display.

Also I see that the gateway configured on your controller for management and vlan 4 interface is different from the ip address which interface vlan 3 and 4 have on them on your router. Isn't this router also working as a gateway for your controller interfaces?

If yes can you change the gateway address on your controller to same address which you interface vlan 3 and 4 have on router?

Also look at your config I believe your non vlan switch is connected to interface fast ether 3 on your router? Can you give this command under your fastethernet 3

"no switchport access vlan 4"

"switchport trunk encapsulation dot1q"

Will wait for your updates!!

Regards,

Ankur

Thank you so much for your help. I am a one man show where I work and have no where to turn to but people willing to help like you.

I ran "sh vlans" (instead of sh vlan) on the router and "No Virtual LANs configured" was returned???

I changed both gateway addresses to point to the 871 router vlan intervace IP addresses. I ran "no switchport access vlan4" and "switchport trunk encapsulation dot1q".

I once again tried to connect and a request was never recieved in the event log of the IAS radius server. When I change security to WPA only I connect just fine using the same route with no other changes. When I use the same IAS server and client settings on the non-tagged mgmt interface it works fine using WPA and 802.1x. I can ping through the router just fine from IAS server to WLAN Controller.

Hi Friend,

I will like to confirm something from you may be I am missing something.

When you say you remove 802.1x and just have just WPA configured your clients get connected, so does your client also get an ip address from vlan 4 and once your client gets an ip address from vlan 4 can you ping your radius server?

Regards,

Ankur

Yes, My clients do recieve an IP address from another server in the same subnet as the radius server on VLAN 4. My WLC controller can ping the radius server and my radius server can ping the WLC anytime going through the router (802.1x or not). Once my client has an IP address using just WPA the client can then ping the radius server also.

Hi Friend,

Sorry for delay in response as I was busy with work. I am not sure if your issue is been resolved or not?

If not can you please post the complete config for your controller and also "debug aaa event" when you try to connect to dynamic interface with 802.1x enabled?

Ankur

I haven't had any luck yet. If you wouldn't mind taking a look at the attached log files.

Hi Friend,

I see that you NDSD WLAN which is mapped to vlan 4 is requesting the AAA authentication from radius server 10.0.203.3 and your management vlan is mapped to different radius server which works fine for you.

So I am sure there is some problem in radius server settings at radius server 10.0.203.3 and can you try changing the radius server for NDSD WLAN to same what is been configured for your management vlan which is untagged and see of that resolves the issue.

Because the debug shows that request had reached the server but no reply from server so some config issue is with radius server.

Check that and update if it worked.

Ankur

To test the settings on the RADIUS server, I left the IAS Radius server settings untouched. I re-configured the WLAN controller and set the same IP's up as untagged (rather than on a vlan) and authentication works fine using this RADIUS server. When I configure the same interface address to be on VLAN4 it doesn't work. The WLAN controller says that the request is sent, but the IAS server does not log any request being received. I even put ethereal (newtork protocol analyzer) on the RADIUS server and I do not see any requests from the WLAN controller at all when using the VLAN configuration. From this information I believe that the problem is not the RADIUS server. Sorry to bother you so much with this issue. Do you have any ideas? I am seriously stumpped, and don't know where to turn from here.

FYI, I ended up resolving this issue. The issue was the fact that I was using a Standard Switch. I purchased a Layer2 Managed switch and got rid of the firewall and I was able to do everything I needed.

Thanks, for your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: