AAA override Wireless Web authentication

remco.gussen · ‎05-28-2009

Hi

I was wondering if it is possible to use a Guest SSID network with AAA override option. So that WLC intercepts all requests, prompts for Username and password, sends the credentials to RADIUS server. Is it possible that the Guest SSID can user the AAA override option, to dynamicly assign the guest user to a VLAN ?

thanx

dancampb · ‎05-28-2009

You can send the guest wlan username and password to AAA for validation. Just define a Radius server under that WLAN. It is not possible to use AAA Override to have a dynamic VLAN assigned. With a guest WLAN the client already has an IP address and is on the vlan before the credentials are sent to Radius. The controller is just blocking the client's traffic from going any further until the authentication is passed.

remco.gussen · ‎06-02-2009

You are right ! Thanx for your reply.

Gr.

Remco

MICHAEL SCHROEDER · ‎06-03-2009

Does this also work for an HREAP? Regards, Michael

raun.williams · ‎06-09-2009

I do find this inability frustrating for me personally. I don't want to change the vlan after the user authenticates to the web, but in my setup I'm authenticating off of ACS and would like to pass some additional ACL's (per user/group) and QoS attributes through to the user logging into the web authentication. However, it seems in 4.2.130 if you turn AAA Override, web authentication stop working all together. This would be very helpfull in traffic/bandwidth control considering the lack of ability to do it elsewhere. Currently it seems I have to adjust my QoS profiles on the controller to do this, which I find unexceptable. Can you tell me if this issue is resolved in later releases?

dancampb · ‎06-10-2009

If you are authenticating the webaut users to Radius you can pass down ACL's and QoS policies. You just can't do dynamic VLAN assignments since the user would already be sitting on the VLAN by the time the authentication takes place.

raun.williams · ‎06-10-2009

How do I do this? As far as I know, the only way it'll pass the attributes down via AAA is if I turn AAA override on. However if I turn AAA Override on, WebAuth seems to stop responding for users connecting to the guest wifi and then takes awhile to recover once I turn AAA override off?

Marucho Mendez · ‎12-01-2010

This still been the same with the AIR-WLC4404-100-K9 and the IOS 7.0.98.0? I am trying to get dynamic vlan assigment to work but with webauthentication but I am only able to override the QoS values.

Regards,

Marucho Mendez

Serge Yasmine · ‎12-01-2010

Marucho, the particularity of how Web authentication works on the WLC is that it is carried over HTTP between Client and WLC. So the Wireless Client has to already have an IP address prior to starting the web authentication. Since the Wireless Client already has an IP address then you cannot override it anymore.

Unlike dot1x, which takes place over EAPOL and then when you have eap success, client moves to get an ip address from the sent by Radius VLAN.

On webauth, dynamic vlan assignment will not work, but yeah, will work for QoS and ACLs.

Marucho Mendez · ‎12-03-2010

Thanks pal. I am having another issue, I have configured two LDAP servers entries for two SSIDs to get webauth working for students and employs, but since i while just one is working for BOTH SSID... I dont know how but even if i remove the ldap server from aaa options under the wlan settings i get working that empty ldap options SSID with the LDAP that works.

Do you have any idea why is happening this?

Regards,

Marucho Mendez