Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

NAC Guest Server

I'm unable to authenticate the Guest Client in the RADIUS of NAC Guest Server.

The NAC is configured in the AAA Servers of the Guest SSID, in the WLC4402 and the controller as client in the NAC Guest Srv.

The Allow Override is Enabled.

NAC Guest Server » radius.log :

Thu Jan 17 01:10:17 2008 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked

Thu Jan 17 01:10:17 2008 : Info: rlm_sql (sql): Attempting to connect to postgres@localhost:/radius

Thu Jan 17 01:10:17 2008 : Info: Ready to process requests.

Thu Jan 17 01:12:08 2008 : Error: rlm_exec (radius-user-auth): External script failed

Thu Jan 17 01:18:49 2008 : Error: rlm_exec (radius-user-auth): External script failed

Has anyone experienced this issue?

Thanks!

5 REPLIES
Silver

Re: NAC Guest Server

When a guest authenticates against a RADIUS client the RADIUS client uses RADIUS Authentication to ask the Cisco NAC Guest Server whether the user authentication is valid. If the guest authentication is valid, the Cisco NAC Guest Server returns a message stating that the user is valid and the amount of time remaining before the user session expires. The RADIUS client must honor the session-timeout attribute to remove the guest when the guest account time expires. Following link may help you

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/10/g_radius.html

Re: NAC Guest Server

Have you solve this problem? I'm stuck with this problem too.

Cisco Employee

Re: NAC Guest Server

Hi -

What version of the NAC Guest server are you using?

I searched all TAC cases and have the following info to share with you based on your error message.

If it is 1.1.1, you might be running into this bug:

CSCsq86376

With the new locations feature in 1.1.1 of the guest server any customer that has the calling-station-id attribute on their controller set to MAC address will not pass any authentications.

The new locations feature expects the calling-station-id attribute to be set to the IP address.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq86376

thxs

peter

Re: NAC Guest Server

I'm using 1.1.0 and 1.1.1, I already set the calling-station-id attribute to IP address but still i got problem.

New Member

Re: NAC Guest Server

I had exactly the same problem.

When the script (its an obfuscated PHP script under /guest/utils) fails, it is because it had not been able to match the username and password.

After a little debugging, it seems that this is caused by the controller setting (Controller/General/Web RADIUS Authentication) which in my case was set to CHAP. After changing it to PAP, the script can then see the password and authentication works.

I hope this helps.

626
Views
5
Helpful
5
Replies
CreatePlease to create content