4402 Wireless LAN Controller
Software Ver. 126.96.36.199
Some help please, I have a guest network configured and working as expected, we have a guest WLAN, a guest Vlan and an ACL. When I create a Guest account they are able to authenticate and gain access to the outside world, however, I have found that our internal users are also able to use this guest WLAN by using their regular accounts that is managed via RADIUS server authenticating to an LDAP server. Can any one tell me how the make sure that only guest accounts have access to the guest WLAN?
I have gone through many papers and articles on the web but so far now luck finding a solution. I did see in some documentation that when a user tries to authenticate they will use one method first and if they fail they will try another i.e. local account and then RADIUS.
Any help would be greatly appreciated.
Actualy i d'not know the solution but require some help from you setting the AP..
Can you please tell me how you have setup the guest access on the wireless device that use username/password credentials? is it using the peap using the certificate or with out it. your response wll be much appriciated.
Are you using web auth for the guest users? or are you creating accounts for them using a RADIUS scenario?
Are the employees the only ones using RADIUS?
If you are using web authentication for your guests and Radius for employee authentication, then it sounds exactly like the setup I am running.
Thank you all who have replied.
Strangley I do not have the same options under the AAA Servers section, what version of the software are you running or maybe my Guest WLAN has been setup differenly to yours.
Do you have any ideas.
So I have found the solution to my problem. After reading a document that outlines the order in which guests are authenticated I found that by changing the global Radius configuration as shown below prevents our regular users from accessing the Guest network with their network accounts.
FYI this is what I found.
A. When a wireless guest logs in through the web portal, the guest anchor controller handles the authentication by performing these steps:
The guest anchor controller checks its local database for username and password, and if they are present, grants access.
If no user credentials are present locally on the guest anchor controller, the guest anchor controller checks WLAN configuration settings to see if an external RADIUS server(s) has been configured for the guest WLAN. If so, the controller creates a RADIUS access-request packet with the username and password and forwards it to the selected RADIUS server for authentication.
If no specific RADIUS servers have been configured for the WLAN, the controller checks its global RADIUS server configuration settings. Any external RADIUS servers configured with the option to authenticate “network user” will be queried with the guest user’s credentials. Otherwise, if no servers have “network user” selected, and the user has not been authenticated through steps 1 or 2, the authentication will fail.
Our WLC 4402 is running 188.8.131.52 (upgraded yesterday) to this newest version. However the options that you're missing were there in an earlier
release but I can't remember which one.
If you are running pretty old code, I would definitely recommend upgrading it. It fixed a lot of bugs, and just works better even when using the interface.
We are running ver 4.2.207 but because of the AP's we have (AP1010) which are quite old the latest version of the software is not supported, what AP's are you using?
According to the release notes for 6.0.196 that still seems to be the case. The 1010 was only supported up to 4.2.207, what a bummer.
I'm running the newer Cisco 1142 N APs and a few 1252 N APs