Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1416
Views
5
Helpful
5
Replies

NAC Guest Server

raires73
Level 1
Level 1

‎01-28-2008 11:06 AM - edited ‎02-21-2020 01:52 AM

I'm unable to authenticate the Guest Client in the RADIUS of NAC Guest Server.

The NAC is configured in the AAA Servers of the Guest SSID, in the WLC4402 and the controller as client in the NAC Guest Srv.

The Allow Override is Enabled.

NAC Guest Server » radius.log :

Thu Jan 17 01:10:17 2008 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked

Thu Jan 17 01:10:17 2008 : Info: rlm_sql (sql): Attempting to connect to postgres@localhost:/radius

Thu Jan 17 01:10:17 2008 : Info: Ready to process requests.

Thu Jan 17 01:12:08 2008 : Error: rlm_exec (radius-user-auth): External script failed

Thu Jan 17 01:18:49 2008 : Error: rlm_exec (radius-user-auth): External script failed

Has anyone experienced this issue?

Thanks!

0 Helpful
5 Replies 5

amritpatek
Level 6
Level 6

‎02-01-2008 12:42 PM

When a guest authenticates against a RADIUS client the RADIUS client uses RADIUS Authentication to ask the Cisco NAC Guest Server whether the user authentication is valid. If the guest authentication is valid, the Cisco NAC Guest Server returns a message stating that the user is valid and the amount of time remaining before the user session expires. The RADIUS client must honor the session-timeout attribute to remove the guest when the guest account time expires. Following link may help you

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/10/g_radius.html

0 Helpful

Dave Anthony David
Level 1
Level 1

‎06-30-2008 06:34 AM

Have you solve this problem? I'm stuck with this problem too.

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee

‎07-07-2008 01:41 PM

Hi -

What version of the NAC Guest server are you using?

I searched all TAC cases and have the following info to share with you based on your error message.

If it is 1.1.1, you might be running into this bug:

CSCsq86376

With the new locations feature in 1.1.1 of the guest server any customer that has the calling-station-id attribute on their controller set to MAC address will not pass any authentications.

The new locations feature expects the calling-station-id attribute to be set to the IP address.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq86376

thxs

peter

0 Helpful

Dave Anthony David
Level 1
Level 1
In response to pcomeaux

‎07-08-2008 10:16 PM

I'm using 1.1.0 and 1.1.1, I already set the calling-station-id attribute to IP address but still i got problem.

0 Helpful

alanwoods
Level 1
Level 1

‎07-21-2008 11:37 PM

I had exactly the same problem.

When the script (its an obfuscated PHP script under /guest/utils) fails, it is because it had not been able to match the username and password.

After a little debugging, it seems that this is caused by the controller setting (Controller/General/Web RADIUS Authentication) which in my case was set to CHAP. After changing it to PAP, the script can then see the password and authentication works.

I hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card