sources RADIUS traffic from the IP address of its management interface unless
the configured RADIUS server exists on a VLAN accessible via one of the
Dynamic interfaces. If a RADIUS server is reachable via a
Dynamic interface, RADIUS requests to this specific RADIUS server will be
sourced from the controller via the corresponding Dynamic interface.
By default, RADIUS packets sourced from the
will set the NAS-IP-Address attribute to that of the management interface's IP
Address, regardless of the packet's source IP Address (Management or Dynamic,
depending on topology).
When you enable per-WLAN RADIUS source support (Radius Server
Overwrite interface) the NAS-IP-Address attribute is overwritten by the
to reflect the sourced interface. Also, RADIUS attributes are modified
accordingly to match the identity. This feature virtualizes the
on the per-WLAN RADIUS traffic, where each WLAN can have a separate layer 3
identity. This feature is useful in deployments that integrate with ACS Network
Access Restrictions and Network Access Profiles.
To filter WLANs, use the callStationID that is set by RFC 3580 to be
in the APMAC:SSID format. You can also extend the filtering on the
authentication server to be on a per-WLAN source interface by using the
You can combine per-WLAN RADIUS source support with the normal RADIUS
traffic source and some WLANs that use the management interface and others
using the per-WLAN dynamic interface as the address source.