01-16-2012 09:30 AM - edited 07-03-2021 09:23 PM
Hi,
I'm currently looking at implementing a Guest solution utilising AD accounts for authentication.
The current idea for the implementation is as follows, Guests connect through to the Anchor controller via the configured SSID, configuration on the anchor WLC calls out to use an ACS server configured under Radius - Authentication.
This ACS device, which is a member of our AD domain, will then be able to supply the relevant user credentials when a client inputs their details within the web authentication page.
Firstly, is this even possible, from the documentation I've seen on Cisco.com it appears to be, though most documentation appears to call out creating local accounts on the ACS, rather than using Windows AD accounts via the configured Windows external database. Secondly, if it is possible, I'm assuming it's very much a scenario of, a user has an account they'll be granted access, and if a user doesn't have an account then they'll be denied access. If we wanted to actually control connectivity through Group membership, then we'd need to look at using LDAP as the authentiation mechanism from the WLC?
TIA,
Dan
01-16-2012 09:45 AM
If you want to use ACS you can... the reason you would want to use local accounts in ACS is because you don't want to create guest accounts in AD. SO what you have to do is create local guest accounts in ACS and then you can crate rules in ACS either permitting or rejecting users.
01-16-2012 09:49 AM
Thanks again, Scott.
It's slightly strange reasoning, but we do actually want to use the accounts within AD, they'll likely be connections running into the 100s, so creating the accounts locally isn't something we're looking at doing.
01-16-2012 09:53 AM
You can do that too... ACS can authenticate guest, just creat a guest group in AD and point to that.
Thanks,
Scott Fella
Sent from my iPhone
01-16-2012 09:53 AM
the ACS will just send the auth request to the configured backed server so long as the credentials are valid the server sends a message to the ACS then ACS sends the accept back to the WLC. Works just like going to the local db on the WLC or the db in ACS.
Most companies don't want to bloat e AD with guest credentials, so they use ACS or the local db on the WLC, with the lobby admin creating the account. So long as you push the WLC db to 2048 it should hold the guest users fine, the re,I've the, after the expire.
Steve
Sent from Cisco Technical Support iPad App
01-17-2012 01:43 AM
Thanks both.
I made the changes to the anchor controller last night, applying our ACS as a Radius authentication server. Now, when I attempt to authenticate, I can see the login attempt hit the ACS, but I'm getting an Authentication failed message on the WebAuth page. Looking at the Failed Attempts log on the ACS, I can see the error below:
16/01/2012 | 17:18:45 | Authen failed | **User ID** | Default Group | 172.22.62.21 | (Default) | Internal error | .. | .. | **User ID** | 172.22.64.39 | .. | .. | .. | .. | .. | NGMWLC11 | WLCs |
I can find my User ID as it's listed above within the User list on the ACS, so I'm confident it exists and I'm using the correct password. Would there be some additional config changes I'd need to make on the ACS in order to get authentication working?
Finally, and apologies for the additional questions, but if I looked to control authentication on a more granular basis, how would I configure the ACS to use a single AD group to allow authentication, eg, if a user is a member of a particular AD group, then the ACS will grant access, and if not, access will be denied.
Thanks again for all your assistance
01-17-2012 01:48 AM
What version of ACS?
Sent from Cisco Technical Support iPhone App
01-17-2012 02:22 AM
Release 4.0(1) Build 27
02-14-2012 03:52 AM
Just to add some more information to this - Our issue was caused by incompatibility between our ACS version and the version of Active Directory that was running (2008)
We upgraded ACS to Release 4.2(1) Build 15 Patch 7 and the authentication worked as expected.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: