Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help configuring a Cisco 4402 wireless controller

Hello,

I need help setting up a Cisco 4402 Wireless controller. I want to have users automatically connect to the wireless network, but not have access to any network resources until they open a web browser and supply their domain username and password or a guest account supplied by the receptionist.

I have tried numerous different configurations but can't seem to get it to work properly. More time then not when I set up security on the WLAN it causes my wireless network to disappear from the list of avaialbe wireless networks.

Here is my network Configure:

1 - 4402 wireless LAN Controller

2 - Aironet 1130AG antennas

1 - 5510 Cisco ASA

1 - 4503 Core Router\Switch

8 - 2960G Switches

Windows Server 2003 Domain with Radius running on the Domain Controller.

Thanks in advance for the help.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Glad you got it working....

-Scott
*** Please rate helpful posts ***
30 REPLIES
Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Pretty simple....

Configure a wlan and set that to use Web Authentication Policy. Then also set that to Authentication. What you need to do now, is configure the radius server on the WLC and make sure the shared secret is identical on the wlc and the ACS. Once the Radius server is configured, go back to the wlan ssid and under AAA servers drop down, pick the radius server you just created. On the ACS, you need to confiugre the WLC as a AAA client in which you need to put the same shared secret.

That is the basic.... now not knowing if you have NAR's or NAP's configured on ACS, you should be good to go.

You should create a custom web auth page where you can have a terms and agreement for the users to read, just in case.

Hope this helps.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

I think you have me on the right track. However I have a couple more questions. First when you say ACS you are referring to my Windows 2003 Radius Server correct? Second, I have to Windows XP laptops that do not see the wireless network I created when I search for wireless networks, BUT my iPhone sees it and displays the Cisco web logon page. Any reason you can think of that XP will not see a WLAN that has an SSID set to broadcast? Last question, How can I setup a second WLAN with a Static WEP key to give to employees that work wirelessly from the office everyday?

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

If you don't have ACS, then your IAS will work. What you need to configure on your IAS is the WLC as a AAA client and when you create a remote access policy, you need to make sure the service type is set to login and not framed.

You should be able to see it if it is broadcasted. Sometimes when you have the ssid configured like on the iphones, it automatically will show up when you want to view other networks. Double check to make sure the ssid is being broadcasted. Check the firmware on the xp laptop and again, make sure it is not soooo old. Use the latest driver the manufacturer recommends.

To create a second ssid, just follow the procedure you used to create the first one. Should be the same. Use the Web interface.... might be easier for you.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

I have everything working that I asked you about except Radius authentication. I have the WLC setup as Radius client on the IAS server. Here are the Radius client settings. "Friendly Name" Cisco WiFi - IP Address 10.1.12.35 - Client-Vender Cisco.

I also setup a Remote Access Policy named "Allow Wireless LAN Access" with the following policy conditions "NAS-PORT-Type Matches "Wireless - IEE 802.11 or Wireless - Other" AND Windows-Groups matches "Our DOMAIN\Domain Users"

Under "Edit Profile" All tabs have the default settings except under the "Advanced" tab I changed (Service-Type RADIUS Standard to Login) as you suggested in your last post.

What am I missing?

Thanks,

Wayne

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Don't set the Radius setting to Client-vendor Cisco. Use the default... i think it is Radius Standard.

In you event viewer in the IAS, what error do you have. Can you post a screen shot.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Also under the Remote Policy | Authentication make sure Unencrypted authentication (PAP, CHAP)is checked.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

It is still not working I must be missing something. Here are a few screen shots showing my config.

Thanks for all of your help!

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Okay.... looks okay, but try this:

On the remote policy, just have your Window -group matches and NAS-IP address which you would enter the management ip address of the wlc. In the dail-in constraints, make sure you have Grant remote access permission. Also, you might need to verify that dial-in is permitted on the user AD account.

Then try to login in and if it doesn't work, you need to post the failed attempt in the event viewer of the IAS server.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

Here is the error details from the event viewer.

User "My Username" was denied access.

Fully-Qualified-User-Name = "My Domain"\"My Username"

NAS-IP-Address = 10.1.12.35

NAS-Identifier = Wireless

Called-Station-Identifier = 10.1.12.35

Calling-Station-Identifier = 10.1.12.103

Client-Friendly-Name = Cisco WiFi

Client-IP-Address = 10.1.12.35

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

I know that the password is correct because it is my account. I made sure that the account was not disabled and has dial-in access.

What do you think?

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Okay... It seems like it is not hitting the correct policy. You created a poilicy named all wireless lan access, but you see in the log that is passes that and the other policy you have. It actually hit the default policy... can't remember where that is located, but thats okay. What error are you seeing in the WLC?

I would re-enter the shared secret in the wlc and in the radius server just to be on the safe side. 10.1.12.35 is you wlc management interface and 10.0.0.2 is your IAS server.... correct?

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

The WLC is not showing any RADIUS errors. I have a Remote Access Policies named "Allow Wireless LAN Access" with Windows-Groups matches and NAS-IP-Address Matches "10.1.12.35" (management port on WLC)

The Connection Request Policies is names "Use Windows authentication for all users" and the only setting is all access (Everyday all day)

Do I need to add anything to the connection request policies? I tried adding the NAS-IP-Address Matches "10.1.12.35" to this policy and got the following error message.

User WPlotkin was denied access.

Fully-Qualified-User-Name =

NAS-IP-Address = 10.1.12.35

NAS-Identifier = SihleWireless

Called-Station-Identifier = 10.1.12.35

Calling-Station-Identifier = 10.1.12.103

Client-Friendly-Name = Cisco WiFi

Client-IP-Address = 10.1.12.35

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name =

Authentication-Provider =

Authentication-Server =

Policy-Name =

Authentication-Type =

EAP-Type =

Reason-Code = 49

Reason = The connection attempt did not match any connection request policy.

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

You don't have to touch that policy. In your Allow Wireless LAN Access policy in the advanced tab, add Framed-Protocol PPP. Alos, delete the Radius server in the WLC and add it back on. You will have to remove the radius server from the ssid before you can delete the radius server. I would also delete and recreate the AAA client on the IAS server and then restart the service.

The Proxy-Policy-Name = should show the remote access policy you created.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

I fixed it apparently my Shared-Secret was to short. I changed it to a longer one and RADIUS instantly started working. I can not believe this is what was causing it not to work. You definitely got me on the right track and I learned a lot along the way. I really appreciate all of your help!

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Glad you got it working....

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

I am having pretty much the same issue but I can 't understand why its not working because this is the message I get in Microsoft IAS...

User xxxx was granted access.

Fully-Qualified-User-Name = xxxxx

NAS-IP-Address = 192.168.1.8

NAS-Identifier = RMCORPWLC01

Client-Friendly-Name = RMCORPWLC01

Client-IP-Address = 192.168.1.8

Calling-Station-Identifier =

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = WLC Auth

Authentication-Type = PAP

EAP-Type =

For more information, see Help and Support Center at

Any suggestions? I made sure that all my settings matched those discussed in this thread?

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

This line: Proxy-Policy-Name = Use Windows authentication for all users

Shows that you are not hitting the remote access policy. This is the defualt windows IAS policy.

Can you post your show run-config and tell me what ssid you are using. Might be a configuration on the wlc of your IAS server.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

Also, check your shared secret configuration with the RADIUS server and make sure it is long enough. I had first set it up with only 10 characters and then changed it to 26 characters and it started working immediately.

New Member

Re: Help configuring a Cisco 4402 wireless controller

FYI...Right now I'm just trying to get this working for MGMT logins, the problem I am having is that I cant login to the device with any username that isnt in the local list.

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

So you are trying to configure the wlc to authenticate management users when they try to access the wlc? Just note that the wlc will use local, then radius, then ldap if configured.

Here are some links for that:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml

This link is for ACS. what you have to do in the remote access policy in IAS is to set the service type as login. Also u[pgrade your boot loader to 5.0.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

I have done both of those things...

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

be carefull with the polices in IAS. If you have another policy using the same nas ip address to authenticate wireless users, it will hit that and fail to the default. if that is your only policy you have, then the ias policy isn't configured right.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

On you log that you posted: NAS-IP-Address = 10.1.12.35

This isn't your management interface (92.168.1.8) on the WLC? So what device is this you are showing?

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

I dont have any of those IP addresses, Im not sure what you are refering to?? I have more than one policies in IAS, I dont understand why it is so hard to setup RADIUS with this thing? Why would RADIUS behave so much differently on a WLC then say a router/switch?

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Post the error you are seeing on your IAS.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

I am not seeing an error on IAS...I see that access was granted? That is why Im at a loss for why this isnt working?

User david.jack was granted access.

Fully-Qualified-User-Name = xxxxx

NAS-IP-Address = 192.168.1.8

NAS-Identifier = RMCORPWLC01

Client-Friendly-Name = RMCORPWLC01

Client-IP-Address = 192.168.1.8

Calling-Station-Identifier =

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = WLC Auth <<<<

Authentication-Type = PAP

EAP-Type =

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hall of Fame Super Silver

Re: Help configuring a Cisco 4402 wireless controller

Youmight have to setup accounting also. Capture data with a sniffer on the port that the wlc is connected to on the switch. If you see authentication pass, but accounting failed, then accounting will have to be setup. On ACS, you have to have that configured in order for this to work.

-Scott
*** Please rate helpful posts ***
New Member

Re: Help configuring a Cisco 4402 wireless controller

Also, check your shared secret configuration with the RADIUS server and make sure it is long enough. I had first set it up with only 10 characters and then changed it to 26 characters and it started working immediately.

New Member

Re: Help configuring a Cisco 4402 wireless controller

I will have to give that a try, my shared secret is only 7 chars right now.

New Member

Re: Help configuring a Cisco 4402 wireless controller

I'm having the same issue. Did you get it fixed?

954
Views
0
Helpful
30
Replies