Anchor / Foreign RADIUS Source Problem

Unanswered Question
Sep 23rd, 2010

I have guest wireless setup with web auth and tied to RADIUS using an anchor controller.  When I enter my AD credentials on the web auth page the anchor controller contacts the ACS for RADIUS authentication properly.

When I add a second WLAN using WPA2-Enterprise (802.1x) for byoc ("bring your own computer" - like iPhones, employee personal computers, etc) and tie them to the anchor controller,  the RADIUS authentication incorrectly sources from the internal foreign controller and not the anchor controller.  This makes it hit the incorrect rules in ACS since I have it setup that if the request comes from the foreign controller (for the corporate WPA2-Enterprise) then I check against machine name (domain computers) and if it comes from the anchor controller I test against username (domain users).   This makes it so that it only works when you set the client to use machine authentication which won't work for non domain computers (which of course none of the byoc devices are joined to the domain).

I have a TAC case open, but so far we haven't figured out why the RADIUS request sources from the foreign controller and not the anchor controller like it should.  I'm running 6.0.196.0.  Is this a bug in that version?  Is there a setting that can be changed on the foreign controller to force the anchor to do the authentication request?

I've tried deleting both WLANs, rebooting both controllers, recreating only the byoc WLAN on a previously unused index number...same result.  The guest web auth one sources from the anchor and the 802.1x one sources from the foreign controller.

Thanks,

Steve

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steveklein Thu, 09/23/2010 - 13:38

So, TAC has come back and confirmed that the 802.1x authentication indeed comes from the foreign controller and not the anchor.  What is a unique thing I can test against in ACS then?  If both conversations come from the same controller IP's and are both RADIUS (both are WPA2-Enterprise - 802.1x), what is unique between the one I want to use machine authentication and the one I want to use user authentication?  I don't see how I'm going to differentiate the two.

steveklein Wed, 12/15/2010 - 08:59

I figured this out a couple of months ago and wanted to update the post in case anyone else runs into the same issue.

Using ACS 5.1 I created a compound condition which tests against the RADIUS-IETF attribute Called-Station-ID and tests against the ssid.

RADIUS-IETF:Called-Station-ID contains wwtbyoc

scottbreslin Mon, 01/30/2012 - 12:08

I know that this is an old post but, I have a similar issue where a client wants to be able to anchor several ssids between several different sites belonging to disparate networks and so be able to authenticate users against their home Radius/Anchor controller  as if they were actually at their home site when physically loacted at the remote site

I was under the impression that this would work as it isn't documented  in any Cisco documentation, that is until I discovered this support posting....

Therefore, I was wondering if this had now changed in later code versions and/or what alternatives can be configured to allow this design scenario to work - maybe something clever with ACS rules or attributes?

Thanks

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network