A. When a wireless guest logs in through the web portal, the guest anchor controller handles the authentication by performing these steps:
The guest anchor controller checks its local database for username and password, and if they are present, grants access.
If no user credentials are present locally on the guest anchor controller, the guest anchor controller checks WLAN configuration settings to see if an external RADIUS server(s) has been configured for the guest WLAN. If so, the controller creates a RADIUS access-request packet with the username and password and forwards it to the selected RADIUS server for authentication.
If no specific RADIUS servers have been configured for the WLAN, the controller checks its global RADIUS server configuration settings. Any external RADIUS servers configured with the option to authenticate ânetwork userâ will be queried with the guest user's credentials. Otherwise, if no servers have ânetwork userâ selected, and the user has not been authenticated through steps 1 or 2, the authentication will fail.
So surely , i'm hitting step 3.
I'm not to comfortable with that type of implementation of Cisco. If i dont define a radius in my ssid, it's with a reason.
This is a common problem on some code. In the "Controller" tab of the GUI, change the Web Authentication type (at the bottom of the page) from PAP to CHAP (or vice versa), Save Configuration, Job Done :o)
I don't know if Cisco considers this as a bug, but if you have an implementation like what you have, the WLC will always attempt to use the radius server first and then attempt to authenticate users via local DB. Defining a fake radius and using that on the guest wlan is the "workaround". I have asked the BU to change that if possible, but don't know if that will happen anytime soon.
I'm experiencing the same problem. My customer considers the fake radius a workarround and asked for a solution. So I guess I need to find either a bug report or an official Cisco Document to explain it.
Changing from PAP to CHAP would cause an authentication failure by wrong protocol, but I consider this another workarround...
Uncheck the "Network User" option on the security page of the WLC where the radius servers are configured. This option is a global config that will pass the users' crdentials on to the configured radius servers when web authentication fails.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...