problem with guest net and radius

Unanswered Question
Jul 8th, 2008

Has anyone ever observed the folowing :


I have 2 ssids's , one configured for guest , one for internal.

The internal ssid is configured with radius. The guest ssid does not have radius activated. However , people are able to log on the guest net with a their radius account.


The only solution i have found this far is to define a fake radius server on the guest ssid. This is surely not the correct solution.


Any advise ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jeromehenry_2 Tue, 07/08/2008 - 07:00

What authentication mechanism do you use on your guest SSID? If it is web authentication or 802.1X, RADIUS is checked by default...

I am surprised that fake RADIUS works, usually when the controller fails in using a RADIUS (because it is fake), it reverts to the other RADIUSes, that is the real one in your case.

Can't you define the allowed SSID on your RADIUS/controller?

sebastiaannoppe Tue, 07/08/2008 - 23:08

I have found the folowing :


Q. What occurs when a guest logs on?


A. When a wireless guest logs in through the web portal, the guest anchor controller handles the authentication by performing these steps:


The guest anchor controller checks its local database for username and password, and if they are present, grants access.

If no user credentials are present locally on the guest anchor controller, the guest anchor controller checks WLAN configuration settings to see if an external RADIUS server(s) has been configured for the guest WLAN. If so, the controller creates a RADIUS access-request packet with the username and password and forwards it to the selected RADIUS server for authentication.

If no specific RADIUS servers have been configured for the WLAN, the controller checks its global RADIUS server configuration settings. Any external RADIUS servers configured with the option to authenticate “network user” will be queried with the guest user's credentials. Otherwise, if no servers have “network user” selected, and the user has not been authenticated through steps 1 or 2, the authentication will fail.


So surely , i'm hitting step 3.

I'm not to comfortable with that type of implementation of Cisco. If i dont define a radius in my ssid, it's with a reason.

Richard Atkin Tue, 07/08/2008 - 23:51

This is a common problem on some code. In the "Controller" tab of the GUI, change the Web Authentication type (at the bottom of the page) from PAP to CHAP (or vice versa), Save Configuration, Job Done :o)

Scott Fella Wed, 07/09/2008 - 03:44

I don't know if Cisco considers this as a bug, but if you have an implementation like what you have, the WLC will always attempt to use the radius server first and then attempt to authenticate users via local DB. Defining a fake radius and using that on the guest wlan is the "workaround". I have asked the BU to change that if possible, but don't know if that will happen anytime soon.

tiago.molinos Thu, 07/17/2008 - 02:14

I'm experiencing the same problem. My customer considers the fake radius a workarround and asked for a solution. So I guess I need to find either a bug report or an official Cisco Document to explain it.


Changing from PAP to CHAP would cause an authentication failure by wrong protocol, but I consider this another workarround...



sebastiaannoppe Thu, 07/17/2008 - 03:51

Changing pap to chap has solved my issue !

But heres another one, this feature cannot be configured from WCS.


Is Cisco slipping up ?

Actions

This Discussion

 

 

Trending Topics - Security & Network