NAC Guest Server

Unanswered Question
Jan 28th, 2008

I'm unable to authenticate the Guest Client in the RADIUS of NAC Guest Server.

The NAC is configured in the AAA Servers of the Guest SSID, in the WLC4402 and the controller as client in the NAC Guest Srv.

The Allow Override is Enabled.

NAC Guest Server » radius.log :

Thu Jan 17 01:10:17 2008 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked

Thu Jan 17 01:10:17 2008 : Info: rlm_sql (sql): Attempting to connect to [email protected]:/radius

Thu Jan 17 01:10:17 2008 : Info: Ready to process requests.

Thu Jan 17 01:12:08 2008 : Error: rlm_exec (radius-user-auth): External script failed

Thu Jan 17 01:18:49 2008 : Error: rlm_exec (radius-user-auth): External script failed

Has anyone experienced this issue?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
amritpatek Fri, 02/01/2008 - 12:42

When a guest authenticates against a RADIUS client the RADIUS client uses RADIUS Authentication to ask the Cisco NAC Guest Server whether the user authentication is valid. If the guest authentication is valid, the Cisco NAC Guest Server returns a message stating that the user is valid and the amount of time remaining before the user session expires. The RADIUS client must honor the session-timeout attribute to remove the guest when the guest account time expires. Following link may help you

pcomeaux Mon, 07/07/2008 - 13:41

Hi -

What version of the NAC Guest server are you using?

I searched all TAC cases and have the following info to share with you based on your error message.

If it is 1.1.1, you might be running into this bug:


With the new locations feature in 1.1.1 of the guest server any customer that has the calling-station-id attribute on their controller set to MAC address will not pass any authentications.

The new locations feature expects the calling-station-id attribute to be set to the IP address.



Dave Anthony David Tue, 07/08/2008 - 22:16

I'm using 1.1.0 and 1.1.1, I already set the calling-station-id attribute to IP address but still i got problem.

alanwoods Mon, 07/21/2008 - 23:37

I had exactly the same problem.

When the script (its an obfuscated PHP script under /guest/utils) fails, it is because it had not been able to match the username and password.

After a little debugging, it seems that this is caused by the controller setting (Controller/General/Web RADIUS Authentication) which in my case was set to CHAP. After changing it to PAP, the script can then see the password and authentication works.

I hope this helps.


This Discussion