Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 2504, internal wlan set to vlan 1 will not authenticate to Radius Server

I am getting ready to deploy a Cisco 2504 WLC

I have three wlan interfaces setup on the WLC

management - vlan 50 on port 1

internal - vlan 1 uses radius to authenticate users on port 3

guest - vlan 20 - open with web-auth on port 2

The internal network uses a radius server to authenticate.

When the internal wlan interface is set to vlan 1, it does not communicate to the Radius server.   However if I set the internal wlan interface to vlan10 everything works.    I have checked the logs of the radius server, when it set to vlan1 it doesn't even attempt to communicate with it.

If I set the internal interface on vlan1 not to authenticate to the radius server then it will work.

on the switch

interface Fastethernet0/10

description Connected to the WLC on Port 3

switchport trunk encapsulation dot1q

swichport trunk allowed 1, 20, 50

switchport mode trunk

on the router

interface Fastethernet0/0.1

encapsulation dot1.q 1 native

ip address x.x.x.x x.x.x.x.x

interface Fastethernet0/0.2

description wlan wireless guest network

encapsuluation dot1.q 20

ip address x.x.x.x x.x.x.x

interface Fastethernet0/0.3

description management wlan wlc

encapsuluation dot1.q 50

ip address x.x.x.x x.x.x.x

Any idea why vlan1 will not work correctly?

Everyone's tags (5)
1 REPLY

Re: Cisco 2504, internal wlan set to vlan 1 will not authenticat

If you have the vlan set to 1, for interface inside, it will send all the traffic tagged with vlan 1.  On the switch, you have not specified the switchport trunk native vlan, so by default the native is 1.  When a dot1q trunk receives traffic with it's own native vlan set, it will drop the packet.

So you can either change the interface inside to b vlan 0 (untagged), or even better set the switchport trunk native vlan on  f0/10 to be an invalid vlan.  that way if any traffic happens to hit it without a tag, it will get dropped into the bit bucket.

Further, you should not place any server the clients or WLC need to speak with in a subnet the WLC has a dynamic interface for.  The WLC should be sending all of it's requests via the management interface, but if the Server is in a dynamic interfaces range, it will send to the closer match.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
1634
Views
0
Helpful
1
Replies