Guest authentication

Unanswered Question
May 14th, 2010
User Badges:

4402 Wireless LAN Controller

Software Ver.

Some help please, I have a guest network configured and working as expected, we have a guest WLAN, a guest Vlan and an ACL. When I create a Guest account they are able to authenticate and gain access to the outside world, however, I have found that our internal users are also able to use this guest WLAN by using their regular accounts that is managed via RADIUS server authenticating to an LDAP server. Can any one tell me how the make sure that only guest accounts have access to the guest WLAN?

I have gone through many papers and articles on the web but so far now luck finding a solution. I did see in some documentation that when a user tries to authenticate they will use one method first and if they fail they will try another i.e. local account and then RADIUS.

Any help would be greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
mrbzumrbzu Mon, 05/17/2010 - 02:49
User Badges:


Actualy i d'not know the solution but require some help from you setting the AP..

Can you please tell me how you have setup the guest access on the wireless device that use username/password credentials? is it using the peap using the certificate or with out it. your response wll be much appriciated.

Lucas Phelps Mon, 05/17/2010 - 15:32
User Badges:

Are you using web auth for the guest users? or are you creating accounts for them using a RADIUS scenario?

Are the employees the only ones using RADIUS?

Lucas Phelps Mon, 05/17/2010 - 15:52
User Badges:

If you are using web authentication for your guests and Radius for employee authentication, then it sounds exactly like the setup I am running.

  1. On the web interface of the 4402 controller, go to the WLANs, and then click on your guest WLAN to edit its properties.
  2. Go to General tab and make sure it says 'Security Policies: Web-Auth'.
  3. Click Security tab and ensure that the Layer 3 sub-tab says 'Layer 3 Security: None' and 'Web Policy' is checked for 'Authentication'. You may or may not have a Preauthentication ACL.
  4. On the AAA Servers sub-tab, you shouldn't have any Auth, Accounting, or LDAP servers if you are doing web-auth. At the bottom of this section, ensure that Local is the only option used for Authentication.  Not RADIUS or LDAP. (See Pictures)

Murray Bown Mon, 05/17/2010 - 23:59
User Badges:

Thank you all who have replied.


Strangley I do not have the same options under the AAA Servers section, what version of the software are you running or maybe my Guest WLAN has been setup differenly to yours.

Do you have any ideas.

Murray Bown Tue, 05/18/2010 - 03:31
User Badges:

So I have found the solution to my problem. After reading a document that outlines the order in which guests are authenticated I found that by changing the global Radius configuration as shown below prevents our regular users from accessing the Guest network with their network accounts.

FYI this is what I found.

Q. What occurs when a guest logs on?


A. When a wireless guest logs in through the web portal, the guest anchor controller handles the authentication by performing these steps:

  1. The guest anchor controller checks its local database for username and password, and if they are present, grants access.

  2. If no user credentials are present locally on the guest anchor controller, the guest anchor controller checks WLAN configuration settings to see if an external RADIUS server(s) has been configured for the guest WLAN. If so, the controller creates a RADIUS access-request packet with the username and password and forwards it to the selected RADIUS server for authentication.

  3. If no specific RADIUS servers have been configured for the WLAN, the controller checks its global RADIUS server configuration settings. Any external RADIUS servers configured with the option to authenticate “network user” will be queried with the guest user’s credentials. Otherwise, if no servers have “network user” selected, and the user has not been authenticated through steps 1 or 2, the authentication will fail.

Lucas Phelps Tue, 05/18/2010 - 06:29
User Badges:

Our WLC 4402 is running (upgraded yesterday) to this newest version.  However the options that you're missing were there in an earlier

release but I can't remember which one.

If you are running pretty old code, I would definitely recommend upgrading it.  It fixed a lot of bugs, and just works better even when using the interface.

Murray Bown Tue, 05/18/2010 - 07:35
User Badges:

We are running ver 4.2.207 but because of the AP's we have (AP1010) which are quite old the latest version of the software is not supported, what AP's are you using?

Lucas Phelps Tue, 05/18/2010 - 07:46
User Badges:

According to the release notes for 6.0.196 that still seems to be the case.  The 1010 was only supported up to 4.2.207, what a bummer.

I'm running the newer Cisco 1142 N APs and a few 1252 N APs

Murray Bown Tue, 05/18/2010 - 08:18
User Badges:

As you say "what a bummer"

Thanks for your time and see you around sometime.



This Discussion