Guest wireless login problem

Unanswered Question
Apr 9th, 2009
User Badges:

I have a guest wireless network through my controllers and am using WCS to manage the controllers. The problem I am seeing is when users are prompted to log in to the guest network they can either use the guest user account the lobby ambassador has setup or they can use an AD account if they have one. I have looked through my configuration and must be missing something because everywhere I look says it should be using "default internal" for the authentication. Any ideas where I should be looking that I'm not? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
runningboy01 Thu, 04/09/2009 - 08:57
User Badges:

How are you wanting them to authenticate? Do you want them to authenticate to the WLC itself or to a radius server?

rtrees Thu, 04/09/2009 - 09:03
User Badges:

For the guest wireless users I only want them authenticating using the WLC's, our lobby ambassador creates the accounts in WCS and it is replicated out to the controllers.

runningboy01 Thu, 04/09/2009 - 09:48
User Badges:

Ok, so I assume that your lobby ambassadors are creating the accounts under Local Net Users in the Security Tab. If you want the guests to only associate to the WLC, make sure that on the SSID under Layer 3 security In the AAA Tab that there are no Authentication Servers Selected. If there are, be sure to remove them. Also, when they create the user in Local Net Users, be sure they are choosing the correct WLAN Profile to assign them to.

rtrees Thu, 04/09/2009 - 09:52
User Badges:

They are logging on as lobby ambassador which puts into a screen that only allows them to create guest accounts, it's not the regular administration page for WCS. I checked logging on as an admin on WCS and there are no authentication servers listed, everything is set to "none" on this page.

runningboy01 Thu, 04/09/2009 - 09:57
User Badges:

There may be a different way, but I know for a fact that for Guest Users to authenticate to the WLC, you need to create the account under Local Net Users. I'm not sure if this is able to be done under lobby ambassador as I've never had to use that setup yet. The Local Net Users is in the security tab underneath AAA.

rtrees Thu, 04/09/2009 - 10:18
User Badges:

This is how WCS works, they log into a page on WCS and create the account and WCS pushes it down to the WLC's. This did point me in a direction I hadn't seen before. I have attached the two different screens, one from WCS and one from the controller. What I am curious about now is where do I change the Web-Auth order and configuration in WCS that can then be pushed down to all my controllers?

rtrees Thu, 04/09/2009 - 10:20
User Badges:

BTW, I did change the settings on this controller before taking the screenshot, by default it included local,radius,and ldap. Removing radius and ldap fixed the issue but I'd sure like to push this from WCS.

runningboy01 Thu, 04/09/2009 - 10:27
User Badges:

In the WCS, after clicking on Configure>Controllers, go to Management then choose Authentication Priority.

rtrees Thu, 04/09/2009 - 10:38
User Badges:

This looks like it would be for everything and not just the guest wireless network correct? It doesn't look like there is an option even with that to select only local authentication unless I'm not understanding what it is trying to configure... which is very possible.

runningboy01 Thu, 04/09/2009 - 10:53
User Badges:

That seems to be correct. My best suggestion would be to have one SSID that you are going to give to people that you would like to have Authenticate to the WLC itself. Once you have that SSID, confirm on the WLC that there are no AAA servers configured for it, and by default then clients should be authenticated to the WLC locally.

However, in order for this to work properly, you need to configure Local Net users in the WCS (Configure>Controllers>Security>AAA>Local Net Users)

When you choose add local net user, if you have not created any templates yet for this, you will be promted for a redirect to do so. Create your template, making sure to choose the SSID you created or are using for Web Auth. In the image attached you will see the layout for the csv file you need to create. The Profile filed is where you would put this SSID.

rtrees Thu, 04/09/2009 - 11:39
User Badges:

I appreciate the suggestion here but since there are multiple controllers across the company at different buildings this wouldn't work too well and explaining to the receptionist that they have to hit multiple boxes and copy the same user account setup on each one of them wouldn't go over too well either :-).

Even when there is no Radius associated to a guest WLAN, I found (v4.2) that users on this guest WLAN were authenticated in a Radius server! That is because there usually is a default Radius configured in the WLC (pushable from WCS) under Config > Controller > Security > Radius Auth Server. If you disable (not remove!) this default Radius server, guest authentication is restricted to the WLC itself, even if you associate this Radius to the guest WLAN. However, I don't know how this affects other WLANs, probably you'll have to associate a Radius to every single WLAN (which is, in my opinion, a good adea anyway). Hoep this helps.

Scott Fella Sat, 05/09/2009 - 05:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

From my experience, if you have any radius configured on any ssid for EAP authentication and using webauth, internal users can use their network login to access the guest network. The WLC will lookup the username and password 1st on the wlc local database and then will try to authenticate the user on any radius server that is configured in the Security AAA server. Even though the radius sever is not configured on the WLAN SSID, the wlc will still try to authenticate the user via radius. I have had to configure 3 bogus radius servers and place then on the guest wlan ssid. This way internal users willnot be able to login using their account. Local DB will fail and the bogus AAA servers will fail.

Thanks fella5. Indeed, I found out that you cannot do without at least one default Radius server, if you want to have wireless access for regular users. Then this bogus trick came to my mind as a possible solution, fine to see that I was on the right track.

It would be nice if Cisco made this behaviour a user option. Better still, one should be able to choose freely between all forms of Layer 2 and Layer 3 authentication individually, including the order in which they will be tried.

rtrees Mon, 05/18/2009 - 06:59
User Badges:

Thanks everyone for the suggestion, this sounds like the best option we have but it would be nice if Cisco gave the option.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode