Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2044
Views
0
Helpful
8
Replies

Guest authentication via ACS

Daniel Anderson
Level 1
Level 1

‎01-16-2012 09:30 AM - edited ‎07-03-2021 09:23 PM

Hi,

I'm currently looking at implementing a Guest solution utilising AD accounts for authentication.

The current idea for the implementation is as follows, Guests connect through to the Anchor controller via the configured SSID, configuration on the anchor WLC calls out to use an ACS server configured under Radius - Authentication.

This ACS device, which is a member of our AD domain, will then be able to supply the relevant user credentials when a client inputs their details within the web authentication page.

Firstly, is this even possible, from the documentation I've seen on Cisco.com it appears to be, though most documentation appears to call out creating local accounts on the ACS, rather than using Windows AD accounts via the configured Windows external database. Secondly, if it is possible, I'm assuming it's very much a scenario of, a user has an account they'll be granted access, and if a user doesn't have an account then they'll be denied access. If we wanted to actually control connectivity through Group membership, then we'd need to look at using LDAP as the authentiation mechanism from the WLC?

TIA,

Dan

Labels:
0 Helpful
8 Replies 8

Scott Fella
Hall of Fame
Hall of Fame

‎01-16-2012 09:45 AM

If you want to use ACS you can... the reason you would want to use local accounts in ACS is because you don't want to create guest accounts in AD.  SO what you have to do is create local guest accounts in ACS and then you can crate rules in ACS either permitting or rejecting users.

-Scott
*** Please rate helpful posts ***
0 Helpful

Daniel Anderson
Level 1
Level 1
In response to Scott Fella

‎01-16-2012 09:49 AM

Thanks again, Scott.

It's slightly strange reasoning, but we do actually want to use the accounts within AD, they'll likely be connections running into the 100s, so creating the accounts locally isn't something we're looking at doing.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Daniel Anderson

‎01-16-2012 09:53 AM

You can do that too... ACS can authenticate guest, just creat a guest group in AD and point to that.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to Daniel Anderson

‎01-16-2012 09:53 AM

the ACS will just send the auth request to the configured backed server so long as the credentials are valid the server sends a message to the ACS then ACS sends the accept back to the WLC. Works just like going to the local db on the WLC or the db in ACS.

Most companies don't want to bloat e AD with guest credentials, so they use ACS or the local db on the WLC, with the lobby admin creating the account. So long as you push the WLC db to 2048 it should hold the guest users fine, the re,I've the, after the expire.

Steve

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Daniel Anderson
Level 1
Level 1
In response to Stephen Rodriguez

‎01-17-2012 01:43 AM

Thanks both.

I made the changes to the anchor controller last night, applying our ACS as a Radius authentication server. Now, when I attempt to authenticate, I can see the login attempt hit the ACS, but I'm getting an Authentication failed message on the WebAuth page. Looking at the Failed Attempts log on the ACS, I can see the error below:

16/01/201217:18:45Authen failed**User ID**Default Group172.22.62.21(Default)Internal error....**User ID**172.22.64.39..........NGMWLC11WLCs


I can find my User ID as it's listed above within the User list on the ACS, so I'm confident it exists and I'm using the correct password. Would there be some additional config changes I'd need to make on the ACS in order to get authentication working?

Finally, and apologies for the additional questions, but if I looked to control authentication on a more granular basis, how would I configure the ACS to use a single AD group to allow authentication, eg, if a user is a member of a particular AD group, then the ACS will grant access, and if not, access will be denied.

Thanks again for all your assistance

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎01-17-2012 01:48 AM

What version of ACS?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Daniel Anderson
Level 1
Level 1
In response to Scott Fella

‎01-17-2012 02:22 AM

Release 4.0(1) Build 27

0 Helpful

Daniel Anderson
Level 1
Level 1
In response to Daniel Anderson

‎02-14-2012 03:52 AM

Just to add some more information to this - Our issue was caused by incompatibility between our ACS version and the version of Active Directory that was running (2008)

We upgraded ACS to Release 4.2(1) Build 15 Patch 7 and the authentication worked as expected.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card