Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

retrieve username bound to IP from WLC

Hi,

We have a WLC 4404 with version 7.0.220.0 of the firmware/software.

We use it to control the  wireless network on our campus, we basically have 2 WLANs defined, one authenticated (using Radius [AAA]) and one not authenticated which is only turned on when needed (when we host some event).

At the moment both these WLANs use the same address space, we will hopefully split it soon since that is better from a security point of view.

I would like to create an 'externalacl' for our squid proxy (script/program) that when handed an IP address can go to the WLC and find out what username was used to authenticate.

Does the WLC provide any interface to this information?

We also have an NCS so if it provides the interface that is also fine....

The other option I see is getting the information from the Radius server that the WLC uses, the only problem with that is that the WLC does not send Logout messages to the radius server (or the radius server doesn't interpret them properly/something wasn't setup correctly).

This would result in a user on the unauthenticated WLAN that got the same IP as an authenticated user got earlier being treated like the authenticated user by squid (since radius still has an entry saying Login on IP by user).

Thanks for the help.

  • Security and Network Management
1 REPLY
Hall of Fame Super Silver

Re: retrieve username bound to IP from WLC

There is no integration without having to look for yourself per say.

Why not exclude the upper address on your dhcp scope you currently use. Then on the guest SSID you can use the internal dhcp on the wlc. You just need to use dhcp override and use the management ip address of the wlc. This way you can create an externalACL since you know what the ip address range will be. Make sense?

Sent from Cisco Technical Support iPhone App

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
256
Views
0
Helpful
1
Replies