Help configuring a Cisco 4402 wireless controller

Answered Question
May 28th, 2008
User Badges:

Hello,


I need help setting up a Cisco 4402 Wireless controller. I want to have users automatically connect to the wireless network, but not have access to any network resources until they open a web browser and supply their domain username and password or a guest account supplied by the receptionist.


I have tried numerous different configurations but can't seem to get it to work properly. More time then not when I set up security on the WLAN it causes my wireless network to disappear from the list of avaialbe wireless networks.


Here is my network Configure:


1 - 4402 wireless LAN Controller

2 - Aironet 1130AG antennas

1 - 5510 Cisco ASA

1 - 4503 Core Router\Switch

8 - 2960G Switches


Windows Server 2003 Domain with Radius running on the Domain Controller.


Thanks in advance for the help.




Correct Answer by Scott Fella about 9 years 2 days ago

Glad you got it working....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Wed, 05/28/2008 - 06:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Pretty simple....


Configure a wlan and set that to use Web Authentication Policy. Then also set that to Authentication. What you need to do now, is configure the radius server on the WLC and make sure the shared secret is identical on the wlc and the ACS. Once the Radius server is configured, go back to the wlan ssid and under AAA servers drop down, pick the radius server you just created. On the ACS, you need to confiugre the WLC as a AAA client in which you need to put the same shared secret.


That is the basic.... now not knowing if you have NAR's or NAP's configured on ACS, you should be good to go.


You should create a custom web auth page where you can have a terms and agreement for the users to read, just in case.


Hope this helps.

WaynePlotkin Wed, 05/28/2008 - 07:17
User Badges:

I think you have me on the right track. However I have a couple more questions. First when you say ACS you are referring to my Windows 2003 Radius Server correct? Second, I have to Windows XP laptops that do not see the wireless network I created when I search for wireless networks, BUT my iPhone sees it and displays the Cisco web logon page. Any reason you can think of that XP will not see a WLAN that has an SSID set to broadcast? Last question, How can I setup a second WLAN with a Static WEP key to give to employees that work wirelessly from the office everyday?

Scott Fella Wed, 05/28/2008 - 07:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

If you don't have ACS, then your IAS will work. What you need to configure on your IAS is the WLC as a AAA client and when you create a remote access policy, you need to make sure the service type is set to login and not framed.


You should be able to see it if it is broadcasted. Sometimes when you have the ssid configured like on the iphones, it automatically will show up when you want to view other networks. Double check to make sure the ssid is being broadcasted. Check the firmware on the xp laptop and again, make sure it is not soooo old. Use the latest driver the manufacturer recommends.


To create a second ssid, just follow the procedure you used to create the first one. Should be the same. Use the Web interface.... might be easier for you.

WaynePlotkin Wed, 05/28/2008 - 10:30
User Badges:

I have everything working that I asked you about except Radius authentication. I have the WLC setup as Radius client on the IAS server. Here are the Radius client settings. "Friendly Name" Cisco WiFi - IP Address 10.1.12.35 - Client-Vender Cisco.


I also setup a Remote Access Policy named "Allow Wireless LAN Access" with the following policy conditions "NAS-PORT-Type Matches "Wireless - IEE 802.11 or Wireless - Other" AND Windows-Groups matches "Our DOMAIN\Domain Users"


Under "Edit Profile" All tabs have the default settings except under the "Advanced" tab I changed (Service-Type RADIUS Standard to Login) as you suggested in your last post.


What am I missing?


Thanks,


Wayne

Scott Fella Wed, 05/28/2008 - 11:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Don't set the Radius setting to Client-vendor Cisco. Use the default... i think it is Radius Standard.


In you event viewer in the IAS, what error do you have. Can you post a screen shot.

Scott Fella Wed, 05/28/2008 - 11:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Also under the Remote Policy | Authentication make sure Unencrypted authentication (PAP, CHAP)is checked.

WaynePlotkin Wed, 05/28/2008 - 11:28
User Badges:

It is still not working I must be missing something. Here are a few screen shots showing my config.


Thanks for all of your help!



Attachment: 
Scott Fella Wed, 05/28/2008 - 11:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Okay.... looks okay, but try this:


On the remote policy, just have your Window -group matches and NAS-IP address which you would enter the management ip address of the wlc. In the dail-in constraints, make sure you have Grant remote access permission. Also, you might need to verify that dial-in is permitted on the user AD account.


Then try to login in and if it doesn't work, you need to post the failed attempt in the event viewer of the IAS server.

WaynePlotkin Wed, 05/28/2008 - 11:58
User Badges:

Here is the error details from the event viewer.


User "My Username" was denied access.

Fully-Qualified-User-Name = "My Domain"\"My Username"

NAS-IP-Address = 10.1.12.35

NAS-Identifier = Wireless

Called-Station-Identifier = 10.1.12.35

Calling-Station-Identifier = 10.1.12.103

Client-Friendly-Name = Cisco WiFi

Client-IP-Address = 10.1.12.35

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.




I know that the password is correct because it is my account. I made sure that the account was not disabled and has dial-in access.


What do you think?

Scott Fella Wed, 05/28/2008 - 12:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Okay... It seems like it is not hitting the correct policy. You created a poilicy named all wireless lan access, but you see in the log that is passes that and the other policy you have. It actually hit the default policy... can't remember where that is located, but thats okay. What error are you seeing in the WLC?


I would re-enter the shared secret in the wlc and in the radius server just to be on the safe side. 10.1.12.35 is you wlc management interface and 10.0.0.2 is your IAS server.... correct?

WaynePlotkin Wed, 05/28/2008 - 12:37
User Badges:

The WLC is not showing any RADIUS errors. I have a Remote Access Policies named "Allow Wireless LAN Access" with Windows-Groups matches and NAS-IP-Address Matches "10.1.12.35" (management port on WLC)


The Connection Request Policies is names "Use Windows authentication for all users" and the only setting is all access (Everyday all day)


Do I need to add anything to the connection request policies? I tried adding the NAS-IP-Address Matches "10.1.12.35" to this policy and got the following error message.


User WPlotkin was denied access.

Fully-Qualified-User-Name =

NAS-IP-Address = 10.1.12.35

NAS-Identifier = SihleWireless

Called-Station-Identifier = 10.1.12.35

Calling-Station-Identifier = 10.1.12.103

Client-Friendly-Name = Cisco WiFi

Client-IP-Address = 10.1.12.35

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name =

Authentication-Provider =

Authentication-Server =

Policy-Name =

Authentication-Type =

EAP-Type =

Reason-Code = 49

Reason = The connection attempt did not match any connection request policy.


Scott Fella Wed, 05/28/2008 - 13:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You don't have to touch that policy. In your Allow Wireless LAN Access policy in the advanced tab, add Framed-Protocol PPP. Alos, delete the Radius server in the WLC and add it back on. You will have to remove the radius server from the ssid before you can delete the radius server. I would also delete and recreate the AAA client on the IAS server and then restart the service.


The Proxy-Policy-Name = should show the remote access policy you created.



WaynePlotkin Thu, 05/29/2008 - 04:39
User Badges:

I fixed it apparently my Shared-Secret was to short. I changed it to a longer one and RADIUS instantly started working. I can not believe this is what was causing it not to work. You definitely got me on the right track and I learned a lot along the way. I really appreciate all of your help!

Correct Answer
Scott Fella Thu, 05/29/2008 - 04:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Glad you got it working....

thefindjack Thu, 06/26/2008 - 13:17
User Badges:

I am having pretty much the same issue but I can 't understand why its not working because this is the message I get in Microsoft IAS...


User xxxx was granted access.

Fully-Qualified-User-Name = xxxxx

NAS-IP-Address = 192.168.1.8

NAS-Identifier = RMCORPWLC01

Client-Friendly-Name = RMCORPWLC01

Client-IP-Address = 192.168.1.8

Calling-Station-Identifier =

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = WLC Auth

Authentication-Type = PAP

EAP-Type =


For more information, see Help and Support Center at




Any suggestions? I made sure that all my settings matched those discussed in this thread?

Scott Fella Thu, 06/26/2008 - 13:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

This line: Proxy-Policy-Name = Use Windows authentication for all users


Shows that you are not hitting the remote access policy. This is the defualt windows IAS policy.


Can you post your show run-config and tell me what ssid you are using. Might be a configuration on the wlc of your IAS server.

WaynePlotkin Fri, 06/27/2008 - 05:11
User Badges:

Also, check your shared secret configuration with the RADIUS server and make sure it is long enough. I had first set it up with only 10 characters and then changed it to 26 characters and it started working immediately.

thefindjack Fri, 06/27/2008 - 05:22
User Badges:

FYI...Right now I'm just trying to get this working for MGMT logins, the problem I am having is that I cant login to the device with any username that isnt in the local list.



Attachment: 
Scott Fella Fri, 06/27/2008 - 05:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

So you are trying to configure the wlc to authenticate management users when they try to access the wlc? Just note that the wlc will use local, then radius, then ldap if configured.


Here are some links for that:


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml


This link is for ACS. what you have to do in the remote access policy in IAS is to set the service type as login. Also u[pgrade your boot loader to 5.0.

Scott Fella Fri, 06/27/2008 - 05:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

be carefull with the polices in IAS. If you have another policy using the same nas ip address to authenticate wireless users, it will hit that and fail to the default. if that is your only policy you have, then the ias policy isn't configured right.

Scott Fella Fri, 06/27/2008 - 06:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

On you log that you posted: NAS-IP-Address = 10.1.12.35


This isn't your management interface (92.168.1.8) on the WLC? So what device is this you are showing?

thefindjack Fri, 06/27/2008 - 06:28
User Badges:

I dont have any of those IP addresses, Im not sure what you are refering to?? I have more than one policies in IAS, I dont understand why it is so hard to setup RADIUS with this thing? Why would RADIUS behave so much differently on a WLC then say a router/switch?

Scott Fella Fri, 06/27/2008 - 06:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Post the error you are seeing on your IAS.

thefindjack Fri, 06/27/2008 - 06:47
User Badges:

I am not seeing an error on IAS...I see that access was granted? That is why Im at a loss for why this isnt working?


User david.jack was granted access.

Fully-Qualified-User-Name = xxxxx

NAS-IP-Address = 192.168.1.8

NAS-Identifier = RMCORPWLC01

Client-Friendly-Name = RMCORPWLC01

Client-IP-Address = 192.168.1.8

Calling-Station-Identifier =

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = WLC Auth <<<<

Authentication-Type = PAP

EAP-Type =


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Scott Fella Fri, 06/27/2008 - 08:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Youmight have to setup accounting also. Capture data with a sniffer on the port that the wlc is connected to on the switch. If you see authentication pass, but accounting failed, then accounting will have to be setup. On ACS, you have to have that configured in order for this to work.

WaynePlotkin Fri, 06/27/2008 - 05:41
User Badges:

Also, check your shared secret configuration with the RADIUS server and make sure it is long enough. I had first set it up with only 10 characters and then changed it to 26 characters and it started working immediately.

thefindjack Fri, 06/27/2008 - 05:44
User Badges:

I will have to give that a try, my shared secret is only 7 chars right now.


yskim80 Wed, 07/23/2008 - 18:23
User Badges:

I'm having the same issue. Did you get it fixed?

WaynePlotkin Thu, 07/24/2008 - 04:32
User Badges:

The problem I had was my Shared-Secret was to short. I changed it to a longer one and RADIUS instantly started working. If that doesn't fix it for you read over all of the posts in this thread and one of them should get you on the right track.

Actions

This Discussion