Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2063
Views
0
Helpful
3
Replies

Troubleshooting Nac Guest Server Authentication Error

alois.heilmaier
Level 1
Level 1

‎04-30-2011 06:38 AM - edited ‎03-10-2019 06:02 PM

Hello Everybody,

I installed NGS 2.0.2 for wireless guest user management and authentication. I implement webauth via webauth page on wlc deployed.

One Branch with a WLC5508 version 7.0 wireless anchor controller is working on the NGS.

But now I integrate next branch with WLC4402 version 6.0.188 and the authentication of users at the new branch gets an error, wrong user/password.

I double checked configuration and user/password but I can't find any configuration error. Also stopping and starting of radius service and reboot of NGS still does not help.

I tried to debug the radius via web interface and watched for the loggfile and there is still a reject.

I also tried the freeradius command radiusd -X but I got an error when starting the radiusd -X.

1.) How can I figure out, if I will get the correct password from my WLC ?

Are there any debug options to see more ? e.g. some cli commands, radiustest utilities or did someone know how to get the received password from the chap challenge of the debug ?

2.) I have appended a part from my radius loggfile. How can I find the detailed error in the radius loggfile ?

     Is it correct that the password in the debug file is empty ?

     raiuds logg line "[radius-user-auth] expand: %{User-Password} -> "

Best Regards

Alois

Labels:
Preview file
5 KB
0 Helpful
3 Replies 3

Vinay Sharma
Level 7
Level 7

‎05-09-2011 07:57 AM

Hi Alois,

This looks more a AAA related issue so moving it to AAA domain for faster response from Experts.

thanks,

Vinay

Thanks & Regards
0 Helpful

alois.heilmaier
Level 1
Level 1

‎09-23-2011 04:21 AM

Hi,

updated WLC4402 to version 7.0.98.0, same version is on WLC5508.

But WLC4402 has the same problem for authentication, like with 6.0.188 again.

Any suggestions on this problem ?

Best Regards

Alois

0 Helpful

alois.heilmaier
Level 1
Level 1
In response to alois.heilmaier

‎12-27-2011 01:59 AM

Hello,

think I found the error.

Config guide for external web-auth showed radius-auth method is configurable.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

"config custom-web radiusauth "

Config guide of NGS has a small but important note:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_radius.html

"NAC Guest Server supports only PAP in RADIUS Authentication"

So I checked my configurations (show custom-web all), and now I see the error.

Working controller has PAP authentication configured, failed controller has CHAP authentication configured.

I will change the congfiguration and test it, but I think that's the problem, because NGS does not support CHAP based authentication.

Best Regards

Alois

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents