Guest authentication via ACS

Unanswered Question
Jan 16th, 2012


I'm currently looking at implementing a Guest solution utilising AD accounts for authentication.

The current idea for the implementation is as follows, Guests connect through to the Anchor controller via the configured SSID, configuration on the anchor WLC calls out to use an ACS server configured under Radius - Authentication.

This ACS device, which is a member of our AD domain, will then be able to supply the relevant user credentials when a client inputs their details within the web authentication page.

Firstly, is this even possible, from the documentation I've seen on it appears to be, though most documentation appears to call out creating local accounts on the ACS, rather than using Windows AD accounts via the configured Windows external database. Secondly, if it is possible, I'm assuming it's very much a scenario of, a user has an account they'll be granted access, and if a user doesn't have an account then they'll be denied access. If we wanted to actually control connectivity through Group membership, then we'd need to look at using LDAP as the authentiation mechanism from the WLC?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Mon, 01/16/2012 - 09:45

If you want to use ACS you can... the reason you would want to use local accounts in ACS is because you don't want to create guest accounts in AD.  SO what you have to do is create local guest accounts in ACS and then you can crate rules in ACS either permitting or rejecting users.

Daniel Anderson Mon, 01/16/2012 - 09:49

Thanks again, Scott.

It's slightly strange reasoning, but we do actually want to use the accounts within AD, they'll likely be connections running into the 100s, so creating the accounts locally isn't something we're looking at doing.

Scott Fella Mon, 01/16/2012 - 09:53

You can do that too... ACS can authenticate guest, just creat a guest group in AD and point to that.


Scott Fella

Sent from my iPhone

Stephen Rodriguez Mon, 01/16/2012 - 09:53

the ACS will just send the auth request to the configured backed server so long as the credentials are valid the server sends a message to the ACS then ACS sends the accept back to the WLC. Works just like going to the local db on the WLC or the db in ACS.

Most companies don't want to bloat e AD with guest credentials, so they use ACS or the local db on the WLC, with the lobby admin creating the account. So long as you push the WLC db to 2048 it should hold the guest users fine, the re,I've the, after the expire.


Sent from Cisco Technical Support iPad App

Daniel Anderson Tue, 01/17/2012 - 01:43

Thanks both.

I made the changes to the anchor controller last night, applying our ACS as a Radius authentication server. Now, when I attempt to authenticate, I can see the login attempt hit the ACS, but I'm getting an Authentication failed message on the WebAuth page. Looking at the Failed Attempts log on the ACS, I can see the error below:

16/01/201217:18:45Authen failed**User ID**Default Group172.22.62.21(Default)Internal error....**User ID**

I can find my User ID as it's listed above within the User list on the ACS, so I'm confident it exists and I'm using the correct password. Would there be some additional config changes I'd need to make on the ACS in order to get authentication working?

Finally, and apologies for the additional questions, but if I looked to control authentication on a more granular basis, how would I configure the ACS to use a single AD group to allow authentication, eg, if a user is a member of a particular AD group, then the ACS will grant access, and if not, access will be denied.

Thanks again for all your assistance

Daniel Anderson Tue, 02/14/2012 - 03:52

Just to add some more information to this - Our issue was caused by incompatibility between our ACS version and the version of Active Directory that was running (2008)

We upgraded ACS to Release 4.2(1) Build 15 Patch 7 and the authentication worked as expected.


This Discussion

Related Content



Trending Topics - Security & Network