problem with guest net and radius

sebastiaannoppe · ‎07-08-2008

Has anyone ever observed the folowing :

I have 2 ssids's , one configured for guest , one for internal.

The internal ssid is configured with radius. The guest ssid does not have radius activated. However , people are able to log on the guest net with a their radius account.

The only solution i have found this far is to define a fake radius server on the guest ssid. This is surely not the correct solution.

Any advise ?

jeromehenry_2 · ‎07-08-2008

What authentication mechanism do you use on your guest SSID? If it is web authentication or 802.1X, RADIUS is checked by default...

I am surprised that fake RADIUS works, usually when the controller fails in using a RADIUS (because it is fake), it reverts to the other RADIUSes, that is the real one in your case.

Can't you define the allowed SSID on your RADIUS/controller?

sebastiaannoppe · ‎07-08-2008

I have found the folowing :

Q. What occurs when a guest logs on?

A. When a wireless guest logs in through the web portal, the guest anchor controller handles the authentication by performing these steps:

The guest anchor controller checks its local database for username and password, and if they are present, grants access.

If no user credentials are present locally on the guest anchor controller, the guest anchor controller checks WLAN configuration settings to see if an external RADIUS server(s) has been configured for the guest WLAN. If so, the controller creates a RADIUS access-request packet with the username and password and forwards it to the selected RADIUS server for authentication.

If no specific RADIUS servers have been configured for the WLAN, the controller checks its global RADIUS server configuration settings. Any external RADIUS servers configured with the option to authenticate â€œnetwork userâ€ will be queried with the guest user's credentials. Otherwise, if no servers have â€œnetwork userâ€ selected, and the user has not been authenticated through steps 1 or 2, the authentication will fail.

So surely , i'm hitting step 3.

I'm not to comfortable with that type of implementation of Cisco. If i dont define a radius in my ssid, it's with a reason.

Richard Atkin · ‎07-08-2008

This is a common problem on some code. In the "Controller" tab of the GUI, change the Web Authentication type (at the bottom of the page) from PAP to CHAP (or vice versa), Save Configuration, Job Done :o)

sebastiaannoppe · ‎07-08-2008

Is this documented somewhere in a bug ?

Scott Fella · ‎07-09-2008

I don't know if Cisco considers this as a bug, but if you have an implementation like what you have, the WLC will always attempt to use the radius server first and then attempt to authenticate users via local DB. Defining a fake radius and using that on the guest wlan is the "workaround". I have asked the BU to change that if possible, but don't know if that will happen anytime soon.

-Scott
*** Please rate helpful posts ***

tiago.molinos · ‎07-17-2008

I'm experiencing the same problem. My customer considers the fake radius a workarround and asked for a solution. So I guess I need to find either a bug report or an official Cisco Document to explain it.

Changing from PAP to CHAP would cause an authentication failure by wrong protocol, but I consider this another workarround...

sebastiaannoppe · ‎07-17-2008

Changing pap to chap has solved my issue !

But heres another one, this feature cannot be configured from WCS.

Is Cisco slipping up ?

steve.gordon · ‎12-01-2008

Uncheck the "Network User" option on the security page of the WLC where the radius servers are configured. This option is a global config that will pass the users' crdentials on to the configured radius servers when web authentication fails.