300-425 · Question #221
A customer has this wireless design: - two Cisco Catalyst 9800 Series wireless controllers configured in a high-availability SSO cluster to manage APs in the local office network - 100 APs in local mo
The correct answer is B. Send the AAA server accounting and authentication traffic from the anchor WLC.. When a WLAN is anchored to a specific WLC, all AAA authentication and accounting traffic for that WLAN must originate from the anchor WLC, not the foreign or HA cluster controllers.
Question
A customer has this wireless design:
- two Cisco Catalyst 9800 Series wireless controllers configured in a
high-availability SSO cluster to manage APs in the local office network
- 100 APs in local mode and registered to the high-availability cluster
- one Catalyst 9800 Series wireless controller that is deployed as an
anchor in a DMZ
- Cisco ISE for user authentication and authorization
The customer wants to deploy a new SSID to support staff BYOD devices and authenticate users via Cisco ISE. The SSID terminates on the anchor WLC. How must the requirement be incorporated into the design to address the AAA servers for the WLAN?
Options
- ASend the AAA server accounting and authentication traffic from the high-availability cluster.
- BSend the AAA server accounting and authentication traffic from the anchor WLC.
- CSend the accounting traffic from the anchor WLC and the authentication traffic from the high-
- DSend the accounting traffic from the high-availability cluster and the authentication traffic from the
How the community answered
(27 responses)- A4% (1)
- B78% (21)
- C7% (2)
- D11% (3)
Why each option
When a WLAN is anchored to a specific WLC, all AAA authentication and accounting traffic for that WLAN must originate from the anchor WLC, not the foreign or HA cluster controllers.
Sending AAA traffic from the HA cluster is incorrect because the client session is not terminated on the foreign cluster - the cluster only tunnels client traffic to the anchor and cannot authoritatively generate authentication or accounting requests for anchored clients.
In a foreign-anchor WLC architecture, the anchor WLC owns the client session for anchored SSIDs - it handles IP address assignment, policy enforcement, and all associated AAA interactions. Because the BYOD SSID terminates on the anchor WLC in the DMZ, all RADIUS authentication and accounting requests must be sourced from the anchor so that Cisco ISE can correctly identify the policy context, match the correct authorization profile, and maintain accurate session accounting records.
Splitting accounting from the anchor and authentication from the HA cluster is not supported in the anchor-foreign model and would result in mismatched session records in ISE, causing unreliable authorization and broken CoA flows.
Sending accounting from the HA cluster and authentication from the anchor contradicts the anchor-foreign design - the anchor must handle both functions because it owns the anchored WLAN client session end-to-end.
Concept tested: Anchor WLC AAA server configuration for anchored SSIDs
Source: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/m_anchor_guest.html
Topics
Community Discussion
No community discussion yet for this question.