Wired Guest Access with Radius authentication and anchor controller

 

 

 

 

schemat.png

 

SWITCH CONFIGURATION

 

  • add wired guest vlan to network infrastructure(everywhere where needed,e.g.trunks,access switches,etc.)

 

FOREIGN WLC

  • Create "Guest" interface

wlcF001.png

wlcF002.png

 Note: When you select "Guest Lan" all IP part is removed.

wlcF003.png

 

  • Add radius server(s)

wlcF004.png

 

  • Create WLAN for "Wired Guest Access". Please select "Guest LAN" type.

wlcF005.png

wlcF006.png

"Ingress" interface is interface where wired guest traffic is entering WLC. "Egress" interface can be any dynamic interface.

Note: EoIP tunnel which always use management interface

Cisco recommends not to use management interface for WLANs.

wlcF007.png

wlcF008.png

 L3 security can be "Web authentication", "Open" or "Pass-through".

wlcF009.png

 Select radius server for wired guest authentication. Please note in this scenario "ANCHOR" WLC is authenticating users, not LOCAL.

wlcF010.png

wlcF011.png

  •  Add anchor WLC to mobility group. Controllers should not be in the same mobility group.

wlcF013.png

wlcF012.png Note: On picture tunnel is already "UP" however in your case it will be down until anchor controller is configured.

 

  • Add anchor controller to EoIP tunnel

wlcF014.png

wlcF015.png

 

 

ANCHOR CONTROLLER

 

  • Create dynamic interface. This interface is used for normal traffic but also for obtaining IP addresses.

wlcA001.png

wlcA002.png

 

  • Add radius server(s)

wlcF004.png

 

  • Create Guest WLAN with exact name like on FOREIGN WLC. Remember guest type must also be "Guest Lan". Entire configuration must be the same like on FOREIGN controller.

wlcF005.png

wlcA003.png

"Ingress" interface is "None" because all traffic is coming from EoIP tunnel. "Egress" interface is any dynamic interface(can be also management - not recommended) used for reaching remote network by wired guest users,e.g. Internet.

wlcF007.png

wlcF008.png

wlcF009.png

wlcF010.png

wlcF011.png

 

  • Add foreign controller to mobility group

wlcA004.png

wlcA005.png

 

  • Create EoIP tunnel pointing to foreign controller.

wlcA006.png

 

WIRED GUEST CLIENT TEST

  • Connect wired client to switch with appropiate vlan(601) assigned.
  • Open a browser
  • Verify client status on controller before authentication

 

 - local WLC

wlcF018.png

wlcF016.png

 Note: Policy Manager State on local controller should be "RUN" because anchor controller is authenticating user. Mobility Role is "Export Foreign".

 

 - anchor WLC

wlcA009.png

wlcA007.png

Note: On anchor controller we can see IP address of guest device, vlan and interface used by this user.

"Policy Manager State" is "WEBAUTH_REQD"(on local "RUN") and Mobility Role "Export Anchor".

 - PC

ipconfig.png

 

  • On guest user PC provide user and password and click submit to authenticate against radius server.

welcome.png

After successful authentication wired guest access is working properly

 

 VERIFICATION

  • Verify wired guest client on local and anchor controller after authentication

 - local WLC

wlcF017.png

 

 - anchor WLC

wlcA008.png

 Note: Now we can notice Policy Manager State has changed to "RUN" and we can also see username of authenticated guest.

  • Verify user authentication on radius server

ise001.png

 

ise002.png

ise003.png

 

dzbanek 2017-02-11

 

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.