Wireless Access

Hi all,

I know this is a bit of a long shot but completely stuck.  Have configured controllers before and always used Cisco ASA's.

This time the two controllers have been configured and our guest wireless network works fine.  Our corporate offering uses 802.1x with certificate authentication through an external NPS server.  We already have this working on one site.

Setting up this on a new site and everything is allowed on the firewall.  A packet capture shows the traffic going from the controller to the NPS fine.  However when trying to connect to the SSID and monitoring the firewall the client fails with the logs on the firewall showing Deny IP Spoof from (0.0.0.0) to (NPS Server IP) .  I am not sure why this is happening any ideas?

Master Controller IP is 192.168.33.3

Secondary (master standby)  IP 192.168.33.4

VRRP - 192.168.33.5

Tried everything but at a loss.

Thanks

Are the working and not working site two different controller setups (that is two controllers on site A and two on site B)?

Or are both sites terminating APs in the same controllers?

Yeah they are 2 controllers on site A and 2 controllers on site B completeley seperate and non related.

Thanks

Okay!

So what does this command output: show ip radius source-interface

Does it look correct, do it on both setups to compare aswell.

(LON-WLAN-Cont-Primary) #show ip radius source-interface

Global radius client source IP address = 0.0.0.0, vlan 0
Global radius client source IPv6 address = ::, vlan 0
Per-server client source IPv4/6 addresses:
Server "lon-nps-1.kainos.com": 192.168.33.3

looks weird that the source ip is 0.0.0.0 any ideas?

Hmm, what you can try to do is under Configuration -> Authentication -> Radius Server -> *select your NPS* -> There is a field called "Source interface", specify your VLAN of which you want to source from (this would be the same as you allowed in your NPS).

There is also a possibility to set this radius source globally, should be something like "ip radius source-interface" in the CLI.

Yip i had used vlan 9 and set this in that setting

I also used the command you used to set VLAN 9 as the source address so the command now returns:

Global radius client source IP address = 192.168.33.3, vlan 9
Global radius client source IPv6 address = ::, vlan 0
Per-server client source IPv4/6 addresses:
Server "lon-nps-1.kainos.com": 192.168.33.3

However still shows as spoof from 0.0.0.0

Where is that last line from? I cannot see that on my own output, and why is it the same IP as your vlan 9 interface?

 got it working now

I had to remove the global source ip

I then had to remove the VLAN tag from the radius server configuration and re add it.  Then it picked up it was coming from the correct source.  

Thanks for your help