Troubleshooting Nac Guest Server Authentication Error

Unanswered Question
Apr 30th, 2011
User Badges:

Hello Everybody,


I installed NGS 2.0.2 for wireless guest user management and authentication. I implement webauth via webauth page on wlc deployed.

One Branch with a WLC5508 version 7.0 wireless anchor controller is working on the NGS.

But now I integrate next branch with WLC4402 version 6.0.188 and the authentication of users at the new branch gets an error, wrong user/password.


I double checked configuration and user/password but I can't find any configuration error. Also stopping and starting of radius service and reboot of NGS still does not help.


I tried to debug the radius via web interface and watched for the loggfile and there is still a reject.


I also tried the freeradius command radiusd -X but I got an error when starting the radiusd -X.


1.) How can I figure out, if I will get the correct password from my WLC ?

Are there any debug options to see more ? e.g. some cli commands, radiustest utilities or did someone know how to get the received password from the chap challenge of the debug ?


2.) I have appended a part from my radius loggfile. How can I find the detailed error in the radius loggfile ?

     Is it correct that the password in the debug file is empty ?

     raiuds logg line "[radius-user-auth] expand: %{User-Password} -> "


Best Regards

Alois

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vinay Sharma Mon, 05/09/2011 - 07:57
User Badges:
  • Gold, 750 points or more

Hi Alois,


This looks more a AAA related issue so moving it to AAA domain for faster response from Experts.


thanks,

Vinay

alois.heilmaier... Fri, 09/23/2011 - 04:21
User Badges:

Hi,


updated WLC4402 to version 7.0.98.0, same version is on WLC5508.

But WLC4402 has the same problem for authentication, like with 6.0.188 again.


Any suggestions on this problem ?


Best Regards

Alois

alois.heilmaier... Tue, 12/27/2011 - 01:59
User Badges:

Hello,


think I found the error.


Config guide for external web-auth showed radius-auth method is configurable.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

"config custom-web radiusauth "


Config guide of NGS has a small but important note:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_radius.html

"NAC Guest Server supports only PAP in RADIUS Authentication"


So I checked my configurations (show custom-web all), and now I see the error.

Working controller has PAP authentication configured, failed controller has CHAP authentication configured.


I will change the congfiguration and test it, but I think that's the problem, because NGS does not support CHAP based authentication.


Best Regards

Alois

Actions

This Discussion

Related Content