Руководство По Устранению Ошибки для Cisco Cisco 5760 Wireless LAN Controller
Deployment Scenario
The document covers common use cases where the wired clients connect to access switches for
network access. Two modes of access are explained in different examples. In all of the methods,
the wired guest access feature can act as a fallback method for authentication. This is typically a
use case when a guest user brings an end device that is unknown to the network. Since the end
device is missing the endpoint supplicant, it will fail the dot1x mode of authentication. Similarly,
MAB authentication would also fail, as the MAC address of the end device would be unknown to
the authenticating server. It is worth noting that in such implementations, corporate end devices
would successfully get access since they would either have a dot1x supplicant or their MAC
addresses in the authenticating server for validation. This allows for flexibility in deployment, as
the administrator does not need to restrict and tie up ports specifically for guest access.
network access. Two modes of access are explained in different examples. In all of the methods,
the wired guest access feature can act as a fallback method for authentication. This is typically a
use case when a guest user brings an end device that is unknown to the network. Since the end
device is missing the endpoint supplicant, it will fail the dot1x mode of authentication. Similarly,
MAB authentication would also fail, as the MAC address of the end device would be unknown to
the authenticating server. It is worth noting that in such implementations, corporate end devices
would successfully get access since they would either have a dot1x supplicant or their MAC
addresses in the authenticating server for validation. This allows for flexibility in deployment, as
the administrator does not need to restrict and tie up ports specifically for guest access.
Topology
This diagram shows the topology used in the deployment scenario:
OPENAUTH
Guest Anchor Configuration
Enable IP Device Tracking (IPDT) and DHCP snooping on client VLAN(s), in this case VLAN
75. The client VLAN needs to be created on the guest anchor.
75. The client VLAN needs to be created on the guest anchor.
1.
Create VLAN 75 and the L3 VLAN interface.
2.
Create a guest LAN that specifies the client VLAN with the 5760 itself that acts as the
mobility anchor. For openmode, the no security web-auth command is required.
mobility anchor. For openmode, the no security web-auth command is required.
3.
Foreign Configuration