Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
1
Replies

AAA override and 802.1X for BYOD network

Go to solution
tsakoulias
Level 1
Level 1

‎03-14-2014 08:23 AM - edited ‎07-05-2021 12:26 AM

Hi all,

 

I have a question regarding AAA override when using 802.1X and anchor WLCs.

 

We have a BYOD network where our Campus WLC are using a WLAN with 802.1X for AKM and no L3 security. Following successful authentication traffic is tunneled to the DMZ WLC where the client device obtains an IP address. No L2 or L3 security is configured on the anchor. The AAA servers are configured to send VLAN RADIUS return attributes and we can see they are sent on the Access-Accept responses.

 

When we have AAA override enabled on the DMZ WLC and disabled on the Campus WLC the client obtains an IP from the interface configured on the WLAN and does not use the RADIUS returned attributes. As noted above, we can see them on the Access-Accept messages from the RADIUS server.

After some testing, we enabled AAA override on the Campus DMZ too and we can finally receive the VLAN return attributes and override the default WLAN interface.

Out of curiosity we disabled AAA override in the DMZ and kept it enabled on the Campus side. The client device was not able to get tunneled to the DMZ because the mobility "handshake" failed between the two WLCs. Why did the handshake fail on this test and not on the first one where again there was a mismatch on the WLAN settings?

 

What is the correct setting when configuring 802.1X with AAA override. Does the feature have to be enabled on both sides?  

Can you please provide a link to any document that provides more details for the above (if available) as i was not able to find something similar.

Kind Regards,

Theo

 

 

 

 

Regards,

Theo

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-14-2014 11:14 AM

Theo,

It's best to setup the WLAN's the same for both the foreign and the anchor, except of course the interface name defined in thw WLAN which can differ.  Now you have to understand AAA override.  You can only change a users vlan only prior to the device getting an ip address.  So using a layer 2 encryption would work, but layer 3 like webauth, you wouldn't get that to work.

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-14-2014 11:14 AM

Theo,

It's best to setup the WLAN's the same for both the foreign and the anchor, except of course the interface name defined in thw WLAN which can differ.  Now you have to understand AAA override.  You can only change a users vlan only prior to the device getting an ip address.  So using a layer 2 encryption would work, but layer 3 like webauth, you wouldn't get that to work.

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card