Radius Setting for Web Auth and 802.1x

Unanswered Question
May 4th, 2008

Hi There,

I just have one CiscoSecure for both Web Auth and 802.1x.

When working with WLC, how can we distinguish the user that is logged in by Web Auth or 802.1x?

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Sun, 05/04/2008 - 09:25

Usually you only can have one wlan setup for 802.1x or pointed to a radius server. Since the AAA client is the WLC, all traffic is from this device and the radius server will look for this policy and will permit or deny on the first policy it hits. I have only been successfull using IAS with this and it really comes down to creating a policy that will work with both.

ctam Sun, 05/04/2008 - 17:19

Suppose that the Web Auth and 802.1x are using different SSID. If making one policy for both, will the user for WebAuth can login the network by 802.1x? I want to avoid this.

How can I set the radius server such that this does not happen?

Scott Fella Sun, 05/04/2008 - 18:22

The issues is that the WLC will always check its local data base and then check the first radius it communicates with then the second and third. It doesn't matter that you use different ssid's or not. The process of authentication is always the same. This is why when you have two ssid's using radius, its hard to define a policy that works with both. That is why there are times that users can use their username and password defined in the PEAP setting on the webauth page and bbe able to authenticate on that subnet. The only way you can make this happen is if you define the service type. For webauth use login and for 802.11x use framed. That install was a while back and was using IAS instead of ACS.... wish I had more info for you.

leon.mflai Fri, 08/15/2008 - 10:46

Hi Cliff,

In ACS, you can create different user groups. 1 for WebAuthen and 1 for standard 802.1x authen (e.g. PEAP).

By default, ACS will map the user to corresponding group by lookup the username provided in RADIUS packet.

To give further security control, you can defile "Network Access Filtering" to each group such that ACS will lookup the SSID and assign it to corresponding "user group". This feature is useful in case the user has 1-many mapping in ACS user database.

For user group for WebAuth, you must enable "service-type (006) = Framed" in the group setup.

Hope this will help.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode