I have guest wireless setup with web auth and tied to RADIUS using an anchor controller. When I enter my AD credentials on the web auth page the anchor controller contacts the ACS for RADIUS authentication properly.
When I add a second WLAN using WPA2-Enterprise (802.1x) for byoc ("bring your own computer" - like iPhones, employee personal computers, etc) and tie them to the anchor controller, the RADIUS authentication incorrectly sources from the internal foreign controller and not the anchor controller. This makes it hit the incorrect rules in ACS since I have it setup that if the request comes from the foreign controller (for the corporate WPA2-Enterprise) then I check against machine name (domain computers) and if it comes from the anchor controller I test against username (domain users). This makes it so that it only works when you set the client to use machine authentication which won't work for non domain computers (which of course none of the byoc devices are joined to the domain).
I have a TAC case open, but so far we haven't figured out why the RADIUS request sources from the foreign controller and not the anchor controller like it should. I'm running 126.96.36.199. Is this a bug in that version? Is there a setting that can be changed on the foreign controller to force the anchor to do the authentication request?
I've tried deleting both WLANs, rebooting both controllers, recreating only the byoc WLAN on a previously unused index number...same result. The guest web auth one sources from the anchor and the 802.1x one sources from the foreign controller.
So, TAC has come back and confirmed that the 802.1x authentication indeed comes from the foreign controller and not the anchor. What is a unique thing I can test against in ACS then? If both conversations come from the same controller IP's and are both RADIUS (both are WPA2-Enterprise - 802.1x), what is unique between the one I want to use machine authentication and the one I want to use user authentication? I don't see how I'm going to differentiate the two.
I know that this is an old post but, I have a similar issue where a client wants to be able to anchor several ssids between several different sites belonging to disparate networks and so be able to authenticate users against their home Radius/Anchor controller as if they were actually at their home site when physically loacted at the remote site
I was under the impression that this would work as it isn't documented in any Cisco documentation, that is until I discovered this support posting....
Therefore, I was wondering if this had now changed in later code versions and/or what alternatives can be configured to allow this design scenario to work - maybe something clever with ACS rules or attributes?
We are moving! Please use WLCCA Forum for updates and discussions
[toc:faq] Wireless LAN Controller (WLC) Config Analyzer Download Click
here to Download To request access, send an e-mail to
email@example.com. Please include your Cisco.com userna...
[toc:faq] IntroductionHere is the step by step process that we have to
take care of while converting LWAPP to IOS and then vice versa..LWAPP to
IOSThe hardware used = 1141 AP (make sure we are using the right
[toc:faq] Introduction AnyConnect Secure Mobility Client 3.0: Network
Access Manager & Profile Editor on Windows Summary Use the Cisco
AnyConnect Network Access Manager Profile Editor to build custom
profiles for the AnyConnect Secure Mobility Client. App...