Local Eap Support; Wired Guest Access Support - Cisco 5520 Deployment Manual

• To verify the status of the service port after configuration
show interface detailed service-port
Limitations
• RADIUS, TACACS+ and NMSP to MSE via Service Port not supported in release 8.2
• SP Port OOB Management cannot be enabled when the WLC is in an SSO Pair.

Local EAP Support

Starting Software release 8.2, Cisco 5520 Wireless LAN Controller supports the Local EAP functionality natively on the controller.
Local EAP is an authentication method that allows users and wireless clients to be authenticated locally on the controller. It is designed
for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the
external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local
user database, so it removes dependence on an external authentication server. Local EAP retrieves user credentials from the local
user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS,
PEAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.
The configuration of Local EAP remains the same as on existing WLCs. A Local EAP Server Configuration Example can be found
at http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91628-uwn-loc-eap-svr-config.html%23maintask1

Wired Guest Access Support

Starting Software release 8.2, Cisco 5520 Wireless LAN Controller supports the Wired Guest Access functionality.
A growing number of companies recognize the need to provide Internet access to its customers, partners, and consultants when they
visit their facilities. IT managers can provide wired and wireless secured and controlled access to the Internet for guests on the same
wireless LAN controller. Guest users must be allowed to connect to designated Ethernet ports and access the guest network as
configured by the administrator after they complete the configured authentication methods. Wireless guest users can easily connect
to the WLAN Controllers with the current guest access features. This provides a unified wireless and wired guest access experience
to the end users.
Wired guest ports are provided in a designated location and plugged into an access switch. The configuration on the access switch
puts these ports in one of the wired guest Layer 2 VLANs.
Two separate solutions are available to the customers:
A single WLAN controller (VLAN Translation mode)–the access switch trunks the wired guest traffic in the guest VLAN to the
WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress
wired guest VLAN to the egress VLAN.
Two WLAN controllers (Auto Anchor mode) - the access switch trunks the wired guest traffic to a local WLAN controller (the
controller nearest to the access switch). This local WLAN controller anchors the client onto a Demilitarized Zone (DMZ) Anchor
WLAN controller that is configured for wired and wireless guest access. After a successful handoff of the client to the DMZ anchor
controller, the DHCP IP address assignment, authentication of the client, and so on are handled in the DMZ WLC. After it completes
the authentication, the client is allowed to send and receive traffic.
The configuration of Wired Guest Access remains the same as on existing WLCs. A Wired Guest Access Configuration Example
can be found at http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
28