07-08-2008 05:03 AM - edited 07-03-2021 04:08 PM
Has anyone ever observed the folowing :
I have 2 ssids's , one configured for guest , one for internal.
The internal ssid is configured with radius. The guest ssid does not have radius activated. However , people are able to log on the guest net with a their radius account.
The only solution i have found this far is to define a fake radius server on the guest ssid. This is surely not the correct solution.
Any advise ?
07-08-2008 07:00 AM
What authentication mechanism do you use on your guest SSID? If it is web authentication or 802.1X, RADIUS is checked by default...
I am surprised that fake RADIUS works, usually when the controller fails in using a RADIUS (because it is fake), it reverts to the other RADIUSes, that is the real one in your case.
Can't you define the allowed SSID on your RADIUS/controller?
07-08-2008 11:08 PM
I have found the folowing :
Q. What occurs when a guest logs on?
A. When a wireless guest logs in through the web portal, the guest anchor controller handles the authentication by performing these steps:
The guest anchor controller checks its local database for username and password, and if they are present, grants access.
If no user credentials are present locally on the guest anchor controller, the guest anchor controller checks WLAN configuration settings to see if an external RADIUS server(s) has been configured for the guest WLAN. If so, the controller creates a RADIUS access-request packet with the username and password and forwards it to the selected RADIUS server for authentication.
If no specific RADIUS servers have been configured for the WLAN, the controller checks its global RADIUS server configuration settings. Any external RADIUS servers configured with the option to authenticate ânetwork userâ will be queried with the guest user's credentials. Otherwise, if no servers have ânetwork userâ selected, and the user has not been authenticated through steps 1 or 2, the authentication will fail.
So surely , i'm hitting step 3.
I'm not to comfortable with that type of implementation of Cisco. If i dont define a radius in my ssid, it's with a reason.
07-08-2008 11:51 PM
This is a common problem on some code. In the "Controller" tab of the GUI, change the Web Authentication type (at the bottom of the page) from PAP to CHAP (or vice versa), Save Configuration, Job Done :o)
07-08-2008 11:55 PM
Is this documented somewhere in a bug ?
07-09-2008 03:44 AM
I don't know if Cisco considers this as a bug, but if you have an implementation like what you have, the WLC will always attempt to use the radius server first and then attempt to authenticate users via local DB. Defining a fake radius and using that on the guest wlan is the "workaround". I have asked the BU to change that if possible, but don't know if that will happen anytime soon.
07-17-2008 02:14 AM
I'm experiencing the same problem. My customer considers the fake radius a workarround and asked for a solution. So I guess I need to find either a bug report or an official Cisco Document to explain it.
Changing from PAP to CHAP would cause an authentication failure by wrong protocol, but I consider this another workarround...
07-17-2008 03:51 AM
Changing pap to chap has solved my issue !
But heres another one, this feature cannot be configured from WCS.
Is Cisco slipping up ?
12-01-2008 11:03 AM
Uncheck the "Network User" option on the security page of the WLC where the radius servers are configured. This option is a global config that will pass the users' crdentials on to the configured radius servers when web authentication fails.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide