Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC - radius down, possible to have auth none as secondary?

Lets say i have a 5508 wlc and have configured a wlan with web-auth and radius authentication

The one and only configured radius server goes offline. In the event this should happen, is it possible to allow clients to connect anyway? auth none as secondary?

Appreciate any thoughts

2 ACCEPTED SOLUTIONS

Accepted Solutions

WLC - radius down, possible to have auth none as secondary?

Chris,

No, unfortunately not.  Once you select 802.1X (Radius) you are bound to that security type. The  controller will not allow NON EAP traffic on that WLAN unless it gets a EAP SUCCESS frame. The EAP success frame from the radius is sent to the WLC and it tell the WLC to open the controlled port to allow traffic to pass.

Top of my head alternatives:

You might consider another SSID with the same name with a OPEN security. Manually enable after failure of radius server

.

Create the user accounts on the WLC and allow the WLC to act as your radius server.If you have a large environment may not be realistic.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Cisco Employee

Re: WLC - radius down, possible to have auth none as secondary?

#webauth and radius uses pap/chap/md-5, however conditional and splash page web redirect uses dot1x.

#You can fallback between Local/Radius/LDAP for webauth based on priority order for web-auth user

In your case you can set webauth priority as Radius, Local.

2 REPLIES

WLC - radius down, possible to have auth none as secondary?

Chris,

No, unfortunately not.  Once you select 802.1X (Radius) you are bound to that security type. The  controller will not allow NON EAP traffic on that WLAN unless it gets a EAP SUCCESS frame. The EAP success frame from the radius is sent to the WLC and it tell the WLC to open the controlled port to allow traffic to pass.

Top of my head alternatives:

You might consider another SSID with the same name with a OPEN security. Manually enable after failure of radius server

.

Create the user accounts on the WLC and allow the WLC to act as your radius server.If you have a large environment may not be realistic.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Cisco Employee

Re: WLC - radius down, possible to have auth none as secondary?

#webauth and radius uses pap/chap/md-5, however conditional and splash page web redirect uses dot1x.

#You can fallback between Local/Radius/LDAP for webauth based on priority order for web-auth user

In your case you can set webauth priority as Radius, Local.

532
Views
0
Helpful
2
Replies
CreatePlease login to create content