I have a guest wireless network through my controllers and am using WCS to manage the controllers. The problem I am seeing is when users are prompted to log in to the guest network they can either use the guest user account the lobby ambassador has setup or they can use an AD account if they have one. I have looked through my configuration and must be missing something because everywhere I look says it should be using "default internal" for the authentication. Any ideas where I should be looking that I'm not? Thanks.
For the guest wireless users I only want them authenticating using the WLC's, our lobby ambassador creates the accounts in WCS and it is replicated out to the controllers.
Ok, so I assume that your lobby ambassadors are creating the accounts under Local Net Users in the Security Tab. If you want the guests to only associate to the WLC, make sure that on the SSID under Layer 3 security In the AAA Tab that there are no Authentication Servers Selected. If there are, be sure to remove them. Also, when they create the user in Local Net Users, be sure they are choosing the correct WLAN Profile to assign them to.
They are logging on as lobby ambassador which puts into a screen that only allows them to create guest accounts, it's not the regular administration page for WCS. I checked logging on as an admin on WCS and there are no authentication servers listed, everything is set to "none" on this page.
There may be a different way, but I know for a fact that for Guest Users to authenticate to the WLC, you need to create the account under Local Net Users. I'm not sure if this is able to be done under lobby ambassador as I've never had to use that setup yet. The Local Net Users is in the security tab underneath AAA.
This is how WCS works, they log into a page on WCS and create the account and WCS pushes it down to the WLC's. This did point me in a direction I hadn't seen before. I have attached the two different screens, one from WCS and one from the controller. What I am curious about now is where do I change the Web-Auth order and configuration in WCS that can then be pushed down to all my controllers?
BTW, I did change the settings on this controller before taking the screenshot, by default it included local,radius,and ldap. Removing radius and ldap fixed the issue but I'd sure like to push this from WCS.
This looks like it would be for everything and not just the guest wireless network correct? It doesn't look like there is an option even with that to select only local authentication unless I'm not understanding what it is trying to configure... which is very possible.
That seems to be correct. My best suggestion would be to have one SSID that you are going to give to people that you would like to have Authenticate to the WLC itself. Once you have that SSID, confirm on the WLC that there are no AAA servers configured for it, and by default then clients should be authenticated to the WLC locally.
However, in order for this to work properly, you need to configure Local Net users in the WCS (Configure>Controllers>Security>AAA>Local Net Users)
When you choose add local net user, if you have not created any templates yet for this, you will be promted for a redirect to do so. Create your template, making sure to choose the SSID you created or are using for Web Auth. In the image attached you will see the layout for the csv file you need to create. The Profile filed is where you would put this SSID.
I appreciate the suggestion here but since there are multiple controllers across the company at different buildings this wouldn't work too well and explaining to the receptionist that they have to hit multiple boxes and copy the same user account setup on each one of them wouldn't go over too well either :-).
Even when there is no Radius associated to a guest WLAN, I found (v4.2) that users on this guest WLAN were authenticated in a Radius server! That is because there usually is a default Radius configured in the WLC (pushable from WCS) under Config > Controller > Security > Radius Auth Server. If you disable (not remove!) this default Radius server, guest authentication is restricted to the WLC itself, even if you associate this Radius to the guest WLAN. However, I don't know how this affects other WLANs, probably you'll have to associate a Radius to every single WLAN (which is, in my opinion, a good adea anyway). Hoep this helps.
From my experience, if you have any radius configured on any ssid for EAP authentication and using webauth, internal users can use their network login to access the guest network. The WLC will lookup the username and password 1st on the wlc local database and then will try to authenticate the user on any radius server that is configured in the Security AAA server. Even though the radius sever is not configured on the WLAN SSID, the wlc will still try to authenticate the user via radius. I have had to configure 3 bogus radius servers and place then on the guest wlan ssid. This way internal users willnot be able to login using their account. Local DB will fail and the bogus AAA servers will fail.
Thanks fella5. Indeed, I found out that you cannot do without at least one default Radius server, if you want to have wireless access for regular users. Then this bogus trick came to my mind as a possible solution, fine to see that I was on the right track.
It would be nice if Cisco made this behaviour a user option. Better still, one should be able to choose freely between all forms of Layer 2 and Layer 3 authentication individually, including the order in which they will be tried.