Cisco Wireless LAN Controller Configuration Guide, Release 7.5
Configuring Per-WLAN RADIUS Source Support
Downloads: This chapterpdf (PDF - 1.22MB) The complete bookPDF (PDF - 19.52MB) | The complete bookePub (ePub - 4.58MB) | Feedback

Configuring Per-WLAN RADIUS Source Support

Prerequisites for Per-WLAN RADIUS Source Support

  • You must implement appropriate rule filtering on the new identity for the authentication server (RADIUS) because the controller sources traffic only from the selected interface.

Restrictions for Per-WLAN RADIUS Source Support

  • callStationID is always in the APMAC:SSID format to comply with 802.1X over RADIUS RFC. This is also a legacy behavior. Web-auth can use different formats available in the config radius callStationIDType command.
  • If AP groups or AAA override are used, the source interface remains the WLAN interface, and not what is specified on the new AP group or RADIUS profile configuration.

Information About Per-WLAN RADIUS Source Support

By default, the controller sources all RADIUS traffic from the IP address on its management interface, which means that even if a WLAN has specific RADIUS servers configured instead of the global list, the identity used is the management interface IP address.

If you want to filter WLANs, you can use the callStationID that is set by RFC 3580 to be in the APMAC:SSID format. You can also extend the filtering on the authentication server to be on a per-WLAN source interface by using the NAS-IP-Address attribute.

When you enable the per-WLAN RADIUS source support, the controller sources all RADIUS traffic for a particular WLAN by using the dynamic interface that is configured. Also, RADIUS attributes are modified accordingly to match the identity. This feature virtualizes the controller on the per-WLAN RADIUS traffic, where each WLAN can have a separate layer 3 identity. This feature is useful in deployments that integrate with ACS Network Access Restrictions and Network Access Profiles.

You can combine per-WLAN RADIUS source support with the normal RADIUS traffic source and some WLANs that use the management interface and others using the per-WLAN dynamic interface as the address source.

Configuring Per-WLAN RADIUS Source Support (CLI)


    Step 1   Enter the config wlan disable wlan-id command to disable the WLAN.
    Step 2   Enter the following command to enable or disable the per-WLAN RADIUS source support:

    config wlan radius_server overwrite-interface { enable | disable} wlan-id

    Note   

    When enabled, the controller uses the interface specified on the WLAN configuration as identity and source for all RADIUS related traffic on that WLAN.

When disabled, the controller uses the management interface as the identity in the NAS-IP-Address attribute. If the RADIUS server is on a directly connected dynamic interface, the RADIUS traffic will be sourced from that interface. Otherwise, the management IP address is used. In all cases, the NAS-IP-Address attribute remains the management interface, unless the feature is enabled.

    Step 3   Enter the config wlan enable wlan-id command to enable the WLAN.
    Note   

    You can filter requests on the RADIUS server side using CiscoSecure ACS. You can filter (accept or reject) a request depending on the NAS-IP-Address attribute through a Network Access Restrictions rule. The filtering to be used is the CLI/DNIS filtering.


    Monitoring the Status of Per-WLAN RADIUS Source Support (CLI)

    To see if the feature is enabled or disabled, enter the following command:

    show wlan wlan-id

    Example

    The following example shows that the per-WLAN RADIUS source support is enabled on WLAN 1.

    show wlan 1

    Information similar to the following is displayed:

    
             
           
    WLAN Identifier.................................. 4
    Profile Name..................................... example
    Network Name (SSID).............................. example
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
    ...
    Radius Servers
       Authentication................................ Global Servers
       Accounting.................................... Global Servers
       Overwrite Sending Interface................... Enabled
    Local EAP Authentication......................... Disabled