Solved: Re: Default-gateways for dynamic interfaces on 2504 controller - Page 2

Sandeep Verma · ‎01-22-2014

Hi,

I am setting up wifi flexconnect solution and is a bit confused regarding what should be the default gateway for the dynamic interfaces which will be created.

Will it be the same as the one for management interface or the will it be the one for the clients.

controller ip 172.16.1.100/24

default-gateway 172.16.1.254

vlan 10

dynamic interface 192.168.1.10/24

default-gateway ?????

vif for this vlan on switch 192.168.1.254

default-gateway for clients 192.168.1.254

Kindly suggest .

Thanks

Rasika Nayanajith · ‎01-23-2014

Yes, In flexconnect local switching mode, you do not require a dynamic interface on your WLC (as traffic will never going to hit there)

As long as you configure branch L3 switch with required SVI & your FlexConnect AP for correct vlan mapping, that's it

When WLAN creating, since it require an interface to map, either you can create a dummy dynamic interface (which is not routable in your network) or simply assign management interface.

NB: If you have mixed of Local mode & FlexConnect mode AP on this controller using the same WLAN, then you need to have dynamic interface for the local mode ap users to get an IP from. In this scenario, FlexConnect AP still go for the branch vlan mapping rather using the WLC dynamic interface (because of Flexconnect local switching)

HTH

Rasika

**** Pls rate all useful responses ****

Sandeep Verma · ‎01-23-2014

Thanks a lot for sharing this information.

Sandeep Verma · ‎01-23-2014

Hi Rasika,

Can you help me with some reference on how to configure 802.1x for wireless users using cisco ACS 5.4

George Stefanick · ‎01-23-2014

Here are some videos

http://www.labminutes.com/blog/2013/10/cisco-acs-54-video-guide-installation-configuration-and-deployment

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Sandeep Verma · ‎01-23-2014

Thanks George,

Gone through the videos, the guy's very fast.

bouncer for a beginner.

Rasika Nayanajith · ‎01-23-2014

Hi Sandeep,

Here is some work I did when I study for my CCIEW lab exam. It is based on ACS5.2 & should not have much difference to 5.4 & may helpful to you to get this started.

http://mrncciew.com/2013/03/03/peap-eap-fast-with-acs-5-2/

Then try to absorb things provided by George link as it has great resources pool

HTH

Rasika

*** Pls rate all useful responses ****

Sandeep Verma · ‎01-23-2014

Thanks a ton man .

Thanks a lot.

Sandeep Verma · ‎02-25-2014

Hi,

Have configure 802.1x as authentication method, however clients are not authenticated.
Error message on logs is

16:27:36 2014

RADIUS server x.x.x.x:1812 failed to respond to request (ID 200) for client xx:xx:xx:xx:xx:xx / user

On the ACS side logs show the need to install a certificate on WLC .

Any suggestions ?????

Rasika Nayanajith · ‎02-25-2014

Yes, If you haven't install certs on ACS, you have to do that first,

Here is all you need for this (explained well by Jerome on his youtube videos). Go through these many times untill you understand & get it done.(that's what I did when I learn those )

http://wirelessccie.blogspot.com.au/2009/10/eap-tls-and-peap-configurations.html

HTH

Rasika

**** Pls rate all useful responses ***

Sandeep Verma · ‎02-25-2014

Certificates are installed on the ACS , but not on the WLC . Is it necessary to get them installed on WLC and then LWAPs.??

Rasika Nayanajith · ‎02-25-2014

Hi Sandeep,

NO, you do not require to install certificates on WLC & LWAPs.

If you are doing PEAP, certs needs to be installed on ACS (Authentication Server).

if you are doing EAP-TLS then you need to install certs on client as well (Supplicant)

In certain cases if you use WLC as authentication server (eg local EAP-TLS on WLC) then you need to install cert on WLC as it act as Authentication Server.

So if you have installed certs on ACS correctly that should be enough. Make sure on client side you choose PEAP & use correct credentials. You can go to “Monitoring & Reports > Launch Monitoring & Report Viewer > Catalog > AAA Protocol” of ACS & get exact reason for client authentication failure.

HTH

Rasika

**** Pls rate all useful responses ****

Sandeep Verma · ‎02-25-2014

Hi Rasika,

Thanks again....

Sandeep Verma · ‎02-25-2014

Hi,

The Radius Servers Statistics show a lot of timeout requests.

Does this have to take something for not authenticating. The error on logs is RADIUS server failed to respond to request.

Scott Fella · ‎02-25-2014

Sandeep,

Did you take a look to make sure that the clients are setup properly like Rasika mentioned? The WLC doesn't care what type of EAP the client is using, only the radius server will care about that. If your users or devices are authenticating, then the setup on the WLC is fine. If your seeing logs, then you need to take a close look at the logs, accept and failure to see why your recovering the logs you are seeing.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Sandeep Verma · ‎02-25-2014

Hi Scott,

I want to run EAP-TLS on WLC and hence now installing certificate using openSSL. Logs on ACS shows the certificate errors.

Will give it a try again once i am done.

Thanks.