Guest Access Redirect accepting AD credentials

Unanswered Question
Aug 1st, 2008
User Badges:
  • Gold, 750 points or more

I have a 2106 controller with a guest access SSID on a isolated vlan 192. The guest SSID is setup for webauth and redirects all traffic to the isolated vlan 192. There is a RADIUS server handling AD authentications on the native management vlan. The dhcp scope on the guest access (192) vlan resides on a watchguard firewall. When I connect to the guest SSID with a WLC resident account and password I am allowed internet access fine. When I use a AD account and password from the rest of the network I am also allowed on fine. Anyone seen this before? I should not be able to even to see the AD server from the isolated VLAN much less have the controller see it as a valid login. I get an IP address from the isolated vlan and I can not ping my protected (all other vlans) network. The problem is I can not monitor content easily or filter where my AD users are going if they connect to the guest SSID. Code is older version and I will upgrade unit to 4.1.185 this week but I suspect the problem will still exist.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dennischolmes Thu, 08/07/2008 - 06:23
User Badges:
  • Gold, 750 points or more

I am posting this as I have found my problem. This is bug number CSCsh35098. In this bug the if the Web account for the local user fails then the authentication request will be forwarded to a RADIUS server if one is configured on the controller. It over rides the WLAN setting to not have a RADIUS authentication. The work around is to change the RADIUS authentication from PAP to CHAP or MD5-CHAP as this will not allow the RADIUS to authenticate.


This Discussion



Trending Topics - Security & Network