05-28-2008 05:03 AM - edited 07-03-2021 03:56 PM
Hello,
I need help setting up a Cisco 4402 Wireless controller. I want to have users automatically connect to the wireless network, but not have access to any network resources until they open a web browser and supply their domain username and password or a guest account supplied by the receptionist.
I have tried numerous different configurations but can't seem to get it to work properly. More time then not when I set up security on the WLAN it causes my wireless network to disappear from the list of avaialbe wireless networks.
Here is my network Configure:
1 - 4402 wireless LAN Controller
2 - Aironet 1130AG antennas
1 - 5510 Cisco ASA
1 - 4503 Core Router\Switch
8 - 2960G Switches
Windows Server 2003 Domain with Radius running on the Domain Controller.
Thanks in advance for the help.
Solved! Go to Solution.
06-26-2008 01:17 PM
I am having pretty much the same issue but I can 't understand why its not working because this is the message I get in Microsoft IAS...
User xxxx was granted access.
Fully-Qualified-User-Name = xxxxx
NAS-IP-Address = 192.168.1.8
NAS-Identifier = RMCORPWLC01
Client-Friendly-Name = RMCORPWLC01
Client-IP-Address = 192.168.1.8
Calling-Station-Identifier =
NAS-Port-Type =
NAS-Port =
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = WLC Auth
Authentication-Type = PAP
EAP-Type =
For more information, see Help and Support Center at
Any suggestions? I made sure that all my settings matched those discussed in this thread?
06-26-2008 01:27 PM
This line: Proxy-Policy-Name = Use Windows authentication for all users
Shows that you are not hitting the remote access policy. This is the defualt windows IAS policy.
Can you post your show run-config and tell me what ssid you are using. Might be a configuration on the wlc of your IAS server.
06-27-2008 05:11 AM
Also, check your shared secret configuration with the RADIUS server and make sure it is long enough. I had first set it up with only 10 characters and then changed it to 26 characters and it started working immediately.
06-27-2008 05:22 AM
06-27-2008 05:35 AM
So you are trying to configure the wlc to authenticate management users when they try to access the wlc? Just note that the wlc will use local, then radius, then ldap if configured.
Here are some links for that:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
This link is for ACS. what you have to do in the remote access policy in IAS is to set the service type as login. Also u[pgrade your boot loader to 5.0.
06-27-2008 05:41 AM
I have done both of those things...
06-27-2008 05:48 AM
be carefull with the polices in IAS. If you have another policy using the same nas ip address to authenticate wireless users, it will hit that and fail to the default. if that is your only policy you have, then the ias policy isn't configured right.
06-27-2008 06:21 AM
On you log that you posted: NAS-IP-Address = 10.1.12.35
This isn't your management interface (92.168.1.8) on the WLC? So what device is this you are showing?
06-27-2008 06:28 AM
I dont have any of those IP addresses, Im not sure what you are refering to?? I have more than one policies in IAS, I dont understand why it is so hard to setup RADIUS with this thing? Why would RADIUS behave so much differently on a WLC then say a router/switch?
06-27-2008 06:34 AM
Post the error you are seeing on your IAS.
06-27-2008 06:47 AM
I am not seeing an error on IAS...I see that access was granted? That is why Im at a loss for why this isnt working?
User david.jack was granted access.
Fully-Qualified-User-Name = xxxxx
NAS-IP-Address = 192.168.1.8
NAS-Identifier = RMCORPWLC01
Client-Friendly-Name = RMCORPWLC01
Client-IP-Address = 192.168.1.8
Calling-Station-Identifier =
NAS-Port-Type =
NAS-Port =
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = WLC Auth <<<<
Authentication-Type = PAP
EAP-Type =
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
06-27-2008 08:13 AM
Youmight have to setup accounting also. Capture data with a sniffer on the port that the wlc is connected to on the switch. If you see authentication pass, but accounting failed, then accounting will have to be setup. On ACS, you have to have that configured in order for this to work.
06-27-2008 05:41 AM
Also, check your shared secret configuration with the RADIUS server and make sure it is long enough. I had first set it up with only 10 characters and then changed it to 26 characters and it started working immediately.
06-27-2008 05:44 AM
I will have to give that a try, my shared secret is only 7 chars right now.
07-23-2008 06:23 PM
I'm having the same issue. Did you get it fixed?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide