Web Authentication with MS IAS Server

Unanswered Question
Jul 29th, 2008

I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.

I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.

Here is what is in the server logs:,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,,4136,3,4142,19

I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Tue, 07/29/2008 - 18:50

When you configure your policy in IAS, make sure that the Service-Type is set to login and not framed. It should be in the advanced tab of the policy.

chevymannie Wed, 07/30/2008 - 07:29

Looks like if I type the username and password of a user on the WLC, it works. But as far as RADIUS it doesn't authenticate. Can anyone tell me how to configure RADIUS to work the way I want it?

thefindjack Wed, 07/30/2008 - 12:53

I had alot of the same problems, here is what I found out to get it to work.

WLC Administrator Login -

Under the IAS Policy go to Advanced and change the "Service-Type" to Administrative, and change "Framed-Protocol" to PPP.

WLC Guest Wireless Login -

Under the IAS policy go to Advanced and change the "Service-Type" to Framed, and change "Frame-Protocol" to PPP.

WLC Lobby Admin Login -

Under the IAS policy go to Advanced and change the "Service-Type" to Callback Administrative, and change "Frame-Protocol" to PPP.

You should have three seperate IAS policies for each type of login then you can create a security group for users for each of these 3 types in AD and add them to the IAS policies accordingly. Then add the people you want to the specified groups and make sure that in your IAS policy you have the "Windows-Groups matches "domain\groupname"", it might not be a bad idea to specify the IP address of the controller in the policy conditions as well.

Hope that helps!

chevymannie Fri, 08/29/2008 - 12:23

Tried that also. Still got the same result. As it stands now, I did away with the web page part and have the RADIUS server used to authenticate the connection. I configure the client and when the user tries to connect, they are prompted for their username and password. I still would like to get this working if I could though.

scdladmin Sat, 08/30/2008 - 05:30

I'm working on setting up IAS authentication myself, although not through Web authentication.

If you're seeing these messages in the IAS logs, there should be a corresponding message in the Windows Event log that is in a more readable form.

At the bottom of that is an error code and a short description of what the error is.

Scott Fella Sat, 08/30/2008 - 07:29

There should be an error on the event log as to why authentication failed. I also know if you added any 3rd party utility to the ias for authentication, it wil not work for authentification other than for that. I had a client that installed a juniper vpn utility to authenticate vpn users through ias. Client had to build a new ias server becausee the utility added and deleted some dll files.

chevymannie Wed, 09/03/2008 - 06:06

You are certainly right. I finally got it to work by checking the event logs and noticing that a lot of the things in my remote access policy was not being passed by the client. Thanks to everyone for all their help.

scdladmin Wed, 09/03/2008 - 12:31

I'd kind of like to know what you ended up changing, exactly.

After two weeks, I still haven't been able to make the whole RADIUS authentication setup to function.

The machine authenticates on boot, but any attempt at a login (local admin, cached domain profile, roaming profile) fails.

The event logs are just telling me that the specified user account doesn't exist.

From there, I don't see what else to change on which piece of equipment in what piece of software to get this operational.

Scott Fella Wed, 09/03/2008 - 16:23

What are you trying to accomplish? WebAuth via MS IAS or PEAP? Can you post your event log error so we can see exactly what is happening.

scdladmin Wed, 09/03/2008 - 22:02

I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.

I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.

The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:

Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 9/3/2008

Time: 11:00:55 PM

User: N/A

Computer: DC1


User SCOTRNCPQ003.scdl.local was denied access.

Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local

NAS-IP-Address =

NAS-Identifier = scohc0ciswlc

Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff

Calling-Station-Identifier = 00-90-4B-4C-92-B7

Client-Friendly-Name = WLAN Controller

Client-IP-Address =

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 29

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = EAP

EAP-Type =

Reason-Code = 8

Reason = The specified user account does not exist.

The policy is the default connection policy created when installing IAS.

In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.

I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.

In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.

It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode