cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3074
Views
0
Helpful
30
Replies

Help configuring a Cisco 4402 wireless controller

WaynePlotkin
Level 1
Level 1

Hello,

I need help setting up a Cisco 4402 Wireless controller. I want to have users automatically connect to the wireless network, but not have access to any network resources until they open a web browser and supply their domain username and password or a guest account supplied by the receptionist.

I have tried numerous different configurations but can't seem to get it to work properly. More time then not when I set up security on the WLAN it causes my wireless network to disappear from the list of avaialbe wireless networks.

Here is my network Configure:

1 - 4402 wireless LAN Controller

2 - Aironet 1130AG antennas

1 - 5510 Cisco ASA

1 - 4503 Core Router\Switch

8 - 2960G Switches

Windows Server 2003 Domain with Radius running on the Domain Controller.

Thanks in advance for the help.

1 Accepted Solution

Accepted Solutions

Glad you got it working....

-Scott
*** Please rate helpful posts ***

View solution in original post

30 Replies 30

Scott Fella
Hall of Fame
Hall of Fame

Pretty simple....

Configure a wlan and set that to use Web Authentication Policy. Then also set that to Authentication. What you need to do now, is configure the radius server on the WLC and make sure the shared secret is identical on the wlc and the ACS. Once the Radius server is configured, go back to the wlan ssid and under AAA servers drop down, pick the radius server you just created. On the ACS, you need to confiugre the WLC as a AAA client in which you need to put the same shared secret.

That is the basic.... now not knowing if you have NAR's or NAP's configured on ACS, you should be good to go.

You should create a custom web auth page where you can have a terms and agreement for the users to read, just in case.

Hope this helps.

-Scott
*** Please rate helpful posts ***

I think you have me on the right track. However I have a couple more questions. First when you say ACS you are referring to my Windows 2003 Radius Server correct? Second, I have to Windows XP laptops that do not see the wireless network I created when I search for wireless networks, BUT my iPhone sees it and displays the Cisco web logon page. Any reason you can think of that XP will not see a WLAN that has an SSID set to broadcast? Last question, How can I setup a second WLAN with a Static WEP key to give to employees that work wirelessly from the office everyday?

If you don't have ACS, then your IAS will work. What you need to configure on your IAS is the WLC as a AAA client and when you create a remote access policy, you need to make sure the service type is set to login and not framed.

You should be able to see it if it is broadcasted. Sometimes when you have the ssid configured like on the iphones, it automatically will show up when you want to view other networks. Double check to make sure the ssid is being broadcasted. Check the firmware on the xp laptop and again, make sure it is not soooo old. Use the latest driver the manufacturer recommends.

To create a second ssid, just follow the procedure you used to create the first one. Should be the same. Use the Web interface.... might be easier for you.

-Scott
*** Please rate helpful posts ***

I have everything working that I asked you about except Radius authentication. I have the WLC setup as Radius client on the IAS server. Here are the Radius client settings. "Friendly Name" Cisco WiFi - IP Address 10.1.12.35 - Client-Vender Cisco.

I also setup a Remote Access Policy named "Allow Wireless LAN Access" with the following policy conditions "NAS-PORT-Type Matches "Wireless - IEE 802.11 or Wireless - Other" AND Windows-Groups matches "Our DOMAIN\Domain Users"

Under "Edit Profile" All tabs have the default settings except under the "Advanced" tab I changed (Service-Type RADIUS Standard to Login) as you suggested in your last post.

What am I missing?

Thanks,

Wayne

Don't set the Radius setting to Client-vendor Cisco. Use the default... i think it is Radius Standard.

In you event viewer in the IAS, what error do you have. Can you post a screen shot.

-Scott
*** Please rate helpful posts ***

Also under the Remote Policy | Authentication make sure Unencrypted authentication (PAP, CHAP)is checked.

-Scott
*** Please rate helpful posts ***

It is still not working I must be missing something. Here are a few screen shots showing my config.

Thanks for all of your help!

Okay.... looks okay, but try this:

On the remote policy, just have your Window -group matches and NAS-IP address which you would enter the management ip address of the wlc. In the dail-in constraints, make sure you have Grant remote access permission. Also, you might need to verify that dial-in is permitted on the user AD account.

Then try to login in and if it doesn't work, you need to post the failed attempt in the event viewer of the IAS server.

-Scott
*** Please rate helpful posts ***

Here is the error details from the event viewer.

User "My Username" was denied access.

Fully-Qualified-User-Name = "My Domain"\"My Username"

NAS-IP-Address = 10.1.12.35

NAS-Identifier = Wireless

Called-Station-Identifier = 10.1.12.35

Calling-Station-Identifier = 10.1.12.103

Client-Friendly-Name = Cisco WiFi

Client-IP-Address = 10.1.12.35

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

I know that the password is correct because it is my account. I made sure that the account was not disabled and has dial-in access.

What do you think?

Okay... It seems like it is not hitting the correct policy. You created a poilicy named all wireless lan access, but you see in the log that is passes that and the other policy you have. It actually hit the default policy... can't remember where that is located, but thats okay. What error are you seeing in the WLC?

I would re-enter the shared secret in the wlc and in the radius server just to be on the safe side. 10.1.12.35 is you wlc management interface and 10.0.0.2 is your IAS server.... correct?

-Scott
*** Please rate helpful posts ***

The WLC is not showing any RADIUS errors. I have a Remote Access Policies named "Allow Wireless LAN Access" with Windows-Groups matches and NAS-IP-Address Matches "10.1.12.35" (management port on WLC)

The Connection Request Policies is names "Use Windows authentication for all users" and the only setting is all access (Everyday all day)

Do I need to add anything to the connection request policies? I tried adding the NAS-IP-Address Matches "10.1.12.35" to this policy and got the following error message.

User WPlotkin was denied access.

Fully-Qualified-User-Name =

NAS-IP-Address = 10.1.12.35

NAS-Identifier = SihleWireless

Called-Station-Identifier = 10.1.12.35

Calling-Station-Identifier = 10.1.12.103

Client-Friendly-Name = Cisco WiFi

Client-IP-Address = 10.1.12.35

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name =

Authentication-Provider =

Authentication-Server =

Policy-Name =

Authentication-Type =

EAP-Type =

Reason-Code = 49

Reason = The connection attempt did not match any connection request policy.

You don't have to touch that policy. In your Allow Wireless LAN Access policy in the advanced tab, add Framed-Protocol PPP. Alos, delete the Radius server in the WLC and add it back on. You will have to remove the radius server from the ssid before you can delete the radius server. I would also delete and recreate the AAA client on the IAS server and then restart the service.

The Proxy-Policy-Name = should show the remote access policy you created.

-Scott
*** Please rate helpful posts ***

I fixed it apparently my Shared-Secret was to short. I changed it to a longer one and RADIUS instantly started working. I can not believe this is what was causing it not to work. You definitely got me on the right track and I learned a lot along the way. I really appreciate all of your help!

Glad you got it working....

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: