Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Guest Access Redirect accepting AD credentials

I have a 2106 controller with a guest access SSID on a isolated vlan 192. The guest SSID is setup for webauth and redirects all traffic to the isolated vlan 192. There is a RADIUS server handling AD authentications on the native management vlan. The dhcp scope on the guest access (192) vlan resides on a watchguard firewall. When I connect to the guest SSID with a WLC resident account and password I am allowed internet access fine. When I use a AD account and password from the rest of the network I am also allowed on fine. Anyone seen this before? I should not be able to even to see the AD server from the isolated VLAN much less have the controller see it as a valid login. I get an IP address from the isolated vlan and I can not ping my protected (all other vlans) network. The problem is I can not monitor content easily or filter where my AD users are going if they connect to the guest SSID. Code is older version 4.0.217.0 and I will upgrade unit to 4.1.185 this week but I suspect the problem will still exist.

3 REPLIES
Silver

Re: Guest Access Redirect accepting AD credentials

For the configuration for the security in WCS follow the configuration guide which contains also how to create guest account which may help you :

http://www.cisco.com/en/US/docs/wireless/wcs/4.0/configuration/guide/wcssol.html

Re: Guest Access Redirect accepting AD credentials

I am posting this as I have found my problem. This is bug number CSCsh35098. In this bug the if the Web account for the local user fails then the authentication request will be forwarded to a RADIUS server if one is configured on the controller. It over rides the WLAN setting to not have a RADIUS authentication. The work around is to change the RADIUS authentication from PAP to CHAP or MD5-CHAP as this will not allow the RADIUS to authenticate.

New Member

Re: Guest Access Redirect accepting AD credentials

The simple fix for this is to uncheck Network User from the security page where the Radius servers are setup.

If this is checked, it is a global parameter that will pass credentials on to the Radius server(s) configured if web authentication fails.

267
Views
0
Helpful
3
Replies