cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
766
Views
0
Helpful
4
Replies

Radius Setting for Web Auth and 802.1x

ctam
Level 1
Level 1

Hi There,

I just have one CiscoSecure for both Web Auth and 802.1x.

When working with WLC, how can we distinguish the user that is logged in by Web Auth or 802.1x?

Thank you.

4 Replies 4

Scott Fella
Hall of Fame
Hall of Fame

Usually you only can have one wlan setup for 802.1x or pointed to a radius server. Since the AAA client is the WLC, all traffic is from this device and the radius server will look for this policy and will permit or deny on the first policy it hits. I have only been successfull using IAS with this and it really comes down to creating a policy that will work with both.

-Scott
*** Please rate helpful posts ***

Suppose that the Web Auth and 802.1x are using different SSID. If making one policy for both, will the user for WebAuth can login the network by 802.1x? I want to avoid this.

How can I set the radius server such that this does not happen?

The issues is that the WLC will always check its local data base and then check the first radius it communicates with then the second and third. It doesn't matter that you use different ssid's or not. The process of authentication is always the same. This is why when you have two ssid's using radius, its hard to define a policy that works with both. That is why there are times that users can use their username and password defined in the PEAP setting on the webauth page and bbe able to authenticate on that subnet. The only way you can make this happen is if you define the service type. For webauth use login and for 802.11x use framed. That install was a while back and was using IAS instead of ACS.... wish I had more info for you.

-Scott
*** Please rate helpful posts ***

Hi Cliff,

In ACS, you can create different user groups. 1 for WebAuthen and 1 for standard 802.1x authen (e.g. PEAP).

By default, ACS will map the user to corresponding group by lookup the username provided in RADIUS packet.

To give further security control, you can defile "Network Access Filtering" to each group such that ACS will lookup the SSID and assign it to corresponding "user group". This feature is useful in case the user has 1-many mapping in ACS user database.

For user group for WebAuth, you must enable "service-type (006) = Framed" in the group setup.

Hope this will help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: