Cisco 9800 Wireless 2024 – Phase 12 – Central Web Authentication (CWA) With Cisco ISE – Part 1

Open the following ports on the firewall to allow communication between the Foreign (internal) and anchor (DMZ) controllers:

Legacy mobility: IP Protocol 97 for user data traffic, UDP Port 16666

New mobility: UDP Port 16666 and 16667

For optional management, these firewall ports need to be open:

SSH - TCP Port 22

TFTP - UDP Port 69

NTP - UDP Port 123

SNMP - UDP Ports 161 (gets and sets) and 162 (traps)

HTTPS/HTTP - TCP Port 443/80

Syslog - TCP Port 514

RADIUS Auth/Account UDP Port 1812 and 1813

If your 9800 WLCs are set in an HA pair, it is mandatory to configure a mobility MAC address. The default mobility group name is “default,” but it can be customized to a desired value. Remember that you must configure the same Mobility Group Name on 9800 WLCs where roaming between them is expected.

“Configure the mobility group name on the “foreign” and “anchor” controllers.
Foreign
Anchor

Configure the mobility tunnel between the foreign and anchor controllers

Foreign

Anchor

The following scenario depicts what occurs when the firewall rules are NOT in place.

LA 9800 (foreign) WLC

Anchor WLC
LA WLC – The control path is down
Anchor (DMZ) WLC
Firewall logs

The firewall logs validate that the Anchor controller cannot initiate traffic from the DMZ controller unless firewall rules are in place.

What does this mean?

An SSID configured as a “mobility anchor” cannot terminate and pass traffic into the DMZ. The wireless user’s IP point of presence SHOULD NOT be on the internal network. Therefore, a valid layer 3 interface is NOT required on the policy profile.

How is the issue resolved?

Opening UDP ports 16666 and 16667 between the foreign (internal) and anchor (DMZ) controllers allows the mobility tunnel to form.

LA tunnels down:
EAST DC tunnels down:
DMZ Anchor tunnels down:
Updated firewall rules
Mobility tunnels after the firewall change:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.