05-28-2008 05:03 AM - edited 07-03-2021 03:56 PM
Hello,
I need help setting up a Cisco 4402 Wireless controller. I want to have users automatically connect to the wireless network, but not have access to any network resources until they open a web browser and supply their domain username and password or a guest account supplied by the receptionist.
I have tried numerous different configurations but can't seem to get it to work properly. More time then not when I set up security on the WLAN it causes my wireless network to disappear from the list of avaialbe wireless networks.
Here is my network Configure:
1 - 4402 wireless LAN Controller
2 - Aironet 1130AG antennas
1 - 5510 Cisco ASA
1 - 4503 Core Router\Switch
8 - 2960G Switches
Windows Server 2003 Domain with Radius running on the Domain Controller.
Thanks in advance for the help.
Solved! Go to Solution.
05-29-2008 04:44 AM
05-28-2008 06:22 AM
Pretty simple....
Configure a wlan and set that to use Web Authentication Policy. Then also set that to Authentication. What you need to do now, is configure the radius server on the WLC and make sure the shared secret is identical on the wlc and the ACS. Once the Radius server is configured, go back to the wlan ssid and under AAA servers drop down, pick the radius server you just created. On the ACS, you need to confiugre the WLC as a AAA client in which you need to put the same shared secret.
That is the basic.... now not knowing if you have NAR's or NAP's configured on ACS, you should be good to go.
You should create a custom web auth page where you can have a terms and agreement for the users to read, just in case.
Hope this helps.
05-28-2008 07:17 AM
I think you have me on the right track. However I have a couple more questions. First when you say ACS you are referring to my Windows 2003 Radius Server correct? Second, I have to Windows XP laptops that do not see the wireless network I created when I search for wireless networks, BUT my iPhone sees it and displays the Cisco web logon page. Any reason you can think of that XP will not see a WLAN that has an SSID set to broadcast? Last question, How can I setup a second WLAN with a Static WEP key to give to employees that work wirelessly from the office everyday?
05-28-2008 07:26 AM
If you don't have ACS, then your IAS will work. What you need to configure on your IAS is the WLC as a AAA client and when you create a remote access policy, you need to make sure the service type is set to login and not framed.
You should be able to see it if it is broadcasted. Sometimes when you have the ssid configured like on the iphones, it automatically will show up when you want to view other networks. Double check to make sure the ssid is being broadcasted. Check the firmware on the xp laptop and again, make sure it is not soooo old. Use the latest driver the manufacturer recommends.
To create a second ssid, just follow the procedure you used to create the first one. Should be the same. Use the Web interface.... might be easier for you.
05-28-2008 10:30 AM
I have everything working that I asked you about except Radius authentication. I have the WLC setup as Radius client on the IAS server. Here are the Radius client settings. "Friendly Name" Cisco WiFi - IP Address 10.1.12.35 - Client-Vender Cisco.
I also setup a Remote Access Policy named "Allow Wireless LAN Access" with the following policy conditions "NAS-PORT-Type Matches "Wireless - IEE 802.11 or Wireless - Other" AND Windows-Groups matches "Our DOMAIN\Domain Users"
Under "Edit Profile" All tabs have the default settings except under the "Advanced" tab I changed (Service-Type RADIUS Standard to Login) as you suggested in your last post.
What am I missing?
Thanks,
Wayne
05-28-2008 11:05 AM
Don't set the Radius setting to Client-vendor Cisco. Use the default... i think it is Radius Standard.
In you event viewer in the IAS, what error do you have. Can you post a screen shot.
05-28-2008 11:10 AM
Also under the Remote Policy | Authentication make sure Unencrypted authentication (PAP, CHAP)is checked.
05-28-2008 11:28 AM
05-28-2008 11:35 AM
Okay.... looks okay, but try this:
On the remote policy, just have your Window -group matches and NAS-IP address which you would enter the management ip address of the wlc. In the dail-in constraints, make sure you have Grant remote access permission. Also, you might need to verify that dial-in is permitted on the user AD account.
Then try to login in and if it doesn't work, you need to post the failed attempt in the event viewer of the IAS server.
05-28-2008 11:58 AM
Here is the error details from the event viewer.
User "My Username" was denied access.
Fully-Qualified-User-Name = "My Domain"\"My Username"
NAS-IP-Address = 10.1.12.35
NAS-Identifier = Wireless
Called-Station-Identifier = 10.1.12.35
Calling-Station-Identifier = 10.1.12.103
Client-Friendly-Name = Cisco WiFi
Client-IP-Address = 10.1.12.35
NAS-Port-Type =
NAS-Port =
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = PAP
EAP-Type =
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
I know that the password is correct because it is my account. I made sure that the account was not disabled and has dial-in access.
What do you think?
05-28-2008 12:12 PM
Okay... It seems like it is not hitting the correct policy. You created a poilicy named all wireless lan access, but you see in the log that is passes that and the other policy you have. It actually hit the default policy... can't remember where that is located, but thats okay. What error are you seeing in the WLC?
I would re-enter the shared secret in the wlc and in the radius server just to be on the safe side. 10.1.12.35 is you wlc management interface and 10.0.0.2 is your IAS server.... correct?
05-28-2008 12:37 PM
The WLC is not showing any RADIUS errors. I have a Remote Access Policies named "Allow Wireless LAN Access" with Windows-Groups matches and NAS-IP-Address Matches "10.1.12.35" (management port on WLC)
The Connection Request Policies is names "Use Windows authentication for all users" and the only setting is all access (Everyday all day)
Do I need to add anything to the connection request policies? I tried adding the NAS-IP-Address Matches "10.1.12.35" to this policy and got the following error message.
User WPlotkin was denied access.
Fully-Qualified-User-Name =
NAS-IP-Address = 10.1.12.35
NAS-Identifier = SihleWireless
Called-Station-Identifier = 10.1.12.35
Calling-Station-Identifier = 10.1.12.103
Client-Friendly-Name = Cisco WiFi
Client-IP-Address = 10.1.12.35
NAS-Port-Type =
NAS-Port =
Proxy-Policy-Name =
Authentication-Provider =
Authentication-Server =
Policy-Name =
Authentication-Type =
EAP-Type =
Reason-Code = 49
Reason = The connection attempt did not match any connection request policy.
05-28-2008 01:33 PM
You don't have to touch that policy. In your Allow Wireless LAN Access policy in the advanced tab, add Framed-Protocol PPP. Alos, delete the Radius server in the WLC and add it back on. You will have to remove the radius server from the ssid before you can delete the radius server. I would also delete and recreate the AAA client on the IAS server and then restart the service.
The Proxy-Policy-Name = should show the remote access policy you created.
05-29-2008 04:39 AM
I fixed it apparently my Shared-Secret was to short. I changed it to a longer one and RADIUS instantly started working. I can not believe this is what was causing it not to work. You definitely got me on the right track and I learned a lot along the way. I really appreciate all of your help!
05-29-2008 04:44 AM
Glad you got it working....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: