Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACAS and RADIUS using service port address on 5508 WLC.

I have discovered that the 5508 that I recently installed is using the service port address when it sends TACACS and RADIUS requests to the ACS server.  I have also noticed that I can only telnet or web into the controller through the service port address.  I can telnet (and presumably web) into the controller through the management interface if I connect from a device within the same subnet as the management interface.

Under normal circumstances, this is not a problem, but it eliminates the benefit of dual homing the controller.  I can configure the management interface with a backup port connected to a separate switch, but there is only one physical port for the service port.  I have tested this.  When the service port is down, I cannot authenticate clients.

A few notes:

The controller is running 6.0.188.0.

I don't have this with WISM and 4400 controllers running the same code level.

I can ping the management interface from outside the subnet. (not a routing issue)

Everyone's tags (3)
3 REPLIES

Re: TACAS and RADIUS using service port address on 5508 WLC.

I'd be willing to bet that your ACS is on the same subnet as the WLC.

This is important to take into account when you configure firewall           policies or design the network topology. It is important to avoid configuring a           dynamic interface in the same sub network as a server that has to be reachable           by the controller CPU, for example a RADIUS server, as it might cause           asymmetric routing issues.

It is important to avoid configuring a           dynamic interface in the same sub network as a server that has to be reachable           by the controller CPU, for example a RADIUS server, as it might cause           asymmetric routing issues.

WLC Best Practices

Service port is for out of band management, and does not route, i.e. no configure gateway, if it's not on that subnet, it's not getting there.  Ideally, all network resources should be reachable via the distribution ports, 1-8, on the front, i.e management interface.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: TACAS and RADIUS using service port address on 5508 WLC.

Actually, the ACS and DHCP servers are at a different facility.  There are no servers, used by this controller, in any of the subnets used by the controller. 

I think I have found the answer.  The missing piece that I failed to mention before is that I had a static route to the gateway on the service port subnet.  This was added as part of the initial config of the controller and was necessary for remote admin when I was bringing it up.  I thought I had tried removing this static route and that it caused other problems, but I just tried again and it resolved the problem.  I can telnet and web to the mgmt interface.  And TACACS and RADIUS requests come from the mgmt interface now.

Re: TACAS and RADIUS using service port address on 5508 WLC.

That makes sense.  The network routes are designed to force traffic out the service port.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
2807
Views
0
Helpful
3
Replies
CreatePlease to create content