Web-Auth with 802.1x

Unanswered Question
Apr 27th, 2010

Environment is WLC 2106 with 4 LWAPP access points. Currently running 2 WLANs: 1 using 802.1x authentication with a Windows IAS (RADIUS) server for Active Directory authentication; 1 using basic WEP for guest access that drops the user in it's own secure VLAN.

I am trying create a 3rd WLAN that uses Web-Authentication using 802.1x RADIUS that passes the username/password to the Windows IAS server. I can see the request being passed to the IAS server, but it is being logged on the IAS server as:

An Access-Request message was received from RADIUS client WLAN Controller without a message authenticator attribute when a messages authenticator attribute is required. Verify the configuration of the RADIUS client in the Internet Authentication Service snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.

I already have the one WLAN using 802.1x where the RADIUS client on the IAS server has the "Request must contain the Message Authenticator attribute" checkbox checked and it works jsut fine. It is just the Web-Auth using 802.1x where it seem the authentication isn't being passed properly to the RADIUS server. I cannot figure out what I am doing wrong or missing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Robert.N.Barrett_2 Tue, 04/27/2010 - 11:08

Has the web server been set up as a "client" to your IAS server?  If so, then perhaps the shared secret is not configured properly?

smoore6857 Tue, 04/27/2010 - 11:32

Robert,

Both the IP of the WLC is setup as a client in IAS (already there for existing WLAN 802.1x authentication), as well as the "default" webpage IP address of 1.1.1.1 which is used for the login page. Not sure what else should be added as a RADIUS client on the IAS server. The shared secret is definitely correct as it is the same one currently used for the exising 802.1x authenticated WLAN.

The only other thing I can think of is the POSSIBLY the Remote Access Policy in the IAS server. I only have 1 configured for use with the authenticated WLAN where the NAS-Port-Type is "Wireless - IEEE 802.11 OR Wireless - Other". This works fine in the original authenticated WLAN, but I am not sure if something else needs to change or be added since the Web-Auth is actually coming from a webpage instead of a Wireless connection.

amr.momtaz Thu, 05/06/2010 - 01:58

Hi,

I don't know if you have resolved the problem or not, But I will propose my solution anyway,

There are two ways to solve this problem, either to make the controller send the radius request with md5 or make the windows reply to the radius requests that does not contain a md5 hash

Microsoft Solution:

-------------------------

When you add the Radius Client using the wizard there are certain options that don't show; for instance the md5 attribute that is causing the IAS to drop the web auth requests. So what you need to do is after you use the wizard, you right click on the client that you added (in our case the WLC) and uncheck the box that says "Access-Request message must contain the Message-Authenticator attribute" (attached is a screenshot).

That should make the IAS respond to the web auth requests.

WLC Solution:

--------------------

I haven't tested this solution, but I think it will work. if you did test it, please let me know how it turned out.

By default, the Web Radius Authentication is set to "PAP" (can be found in the Controller Tab @ the WLC GUI), you need to set it to MD5-CHAP. (attached is another screenshot).

Hope that solves your problem, and please let me know how the problem was solved.

Attachment: 

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network