Troubleshooting Nac Guest Server Authentication Error

Unanswered Question
Apr 30th, 2011

Hello Everybody,

I installed NGS 2.0.2 for wireless guest user management and authentication. I implement webauth via webauth page on wlc deployed.

One Branch with a WLC5508 version 7.0 wireless anchor controller is working on the NGS.

But now I integrate next branch with WLC4402 version 6.0.188 and the authentication of users at the new branch gets an error, wrong user/password.

I double checked configuration and user/password but I can't find any configuration error. Also stopping and starting of radius service and reboot of NGS still does not help.

I tried to debug the radius via web interface and watched for the loggfile and there is still a reject.

I also tried the freeradius command radiusd -X but I got an error when starting the radiusd -X.

1.) How can I figure out, if I will get the correct password from my WLC ?

Are there any debug options to see more ? e.g. some cli commands, radiustest utilities or did someone know how to get the received password from the chap challenge of the debug ?

2.) I have appended a part from my radius loggfile. How can I find the detailed error in the radius loggfile ?

     Is it correct that the password in the debug file is empty ?

     raiuds logg line "[radius-user-auth] expand: %{User-Password} -> "

Best Regards

Alois

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Vinay Sharma Mon, 05/09/2011 - 07:57

Hi Alois,

This looks more a AAA related issue so moving it to AAA domain for faster response from Experts.

thanks,

Vinay

alois.heilmaier... Fri, 09/23/2011 - 04:21

Hi,

updated WLC4402 to version 7.0.98.0, same version is on WLC5508.

But WLC4402 has the same problem for authentication, like with 6.0.188 again.

Any suggestions on this problem ?

Best Regards

Alois

alois.heilmaier... Tue, 12/27/2011 - 01:59

Hello,

think I found the error.

Config guide for external web-auth showed radius-auth method is configurable.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

"config custom-web radiusauth "

Config guide of NGS has a small but important note:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_radius.html

"NAC Guest Server supports only PAP in RADIUS Authentication"

So I checked my configurations (show custom-web all), and now I see the error.

Working controller has PAP authentication configured, failed controller has CHAP authentication configured.

I will change the congfiguration and test it, but I think that's the problem, because NGS does not support CHAP based authentication.

Best Regards

Alois

Actions

Login or Register to take actions

This Discussion

Posted April 30, 2011 at 6:38 AM
Stats:
Replies:3 Avg. Rating:
Views:1416 Votes:0
Shares:0

Related Content

Discussions Leaderboard