Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

problem with guest net and radius

Has anyone ever observed the folowing :

I have 2 ssids's , one configured for guest , one for internal.

The internal ssid is configured with radius. The guest ssid does not have radius activated. However , people are able to log on the guest net with a their radius account.

The only solution i have found this far is to define a fake radius server on the guest ssid. This is surely not the correct solution.

Any advise ?


Re: problem with guest net and radius

What authentication mechanism do you use on your guest SSID? If it is web authentication or 802.1X, RADIUS is checked by default...

I am surprised that fake RADIUS works, usually when the controller fails in using a RADIUS (because it is fake), it reverts to the other RADIUSes, that is the real one in your case.

Can't you define the allowed SSID on your RADIUS/controller?

New Member

Re: problem with guest net and radius

I have found the folowing :

Q. What occurs when a guest logs on?

A. When a wireless guest logs in through the web portal, the guest anchor controller handles the authentication by performing these steps:

The guest anchor controller checks its local database for username and password, and if they are present, grants access.

If no user credentials are present locally on the guest anchor controller, the guest anchor controller checks WLAN configuration settings to see if an external RADIUS server(s) has been configured for the guest WLAN. If so, the controller creates a RADIUS access-request packet with the username and password and forwards it to the selected RADIUS server for authentication.

If no specific RADIUS servers have been configured for the WLAN, the controller checks its global RADIUS server configuration settings. Any external RADIUS servers configured with the option to authenticate “network user” will be queried with the guest user's credentials. Otherwise, if no servers have “network user” selected, and the user has not been authenticated through steps 1 or 2, the authentication will fail.

So surely , i'm hitting step 3.

I'm not to comfortable with that type of implementation of Cisco. If i dont define a radius in my ssid, it's with a reason.

Re: problem with guest net and radius

This is a common problem on some code. In the "Controller" tab of the GUI, change the Web Authentication type (at the bottom of the page) from PAP to CHAP (or vice versa), Save Configuration, Job Done :o)

New Member

Re: problem with guest net and radius

Is this documented somewhere in a bug ?

Hall of Fame Super Silver

Re: problem with guest net and radius

I don't know if Cisco considers this as a bug, but if you have an implementation like what you have, the WLC will always attempt to use the radius server first and then attempt to authenticate users via local DB. Defining a fake radius and using that on the guest wlan is the "workaround". I have asked the BU to change that if possible, but don't know if that will happen anytime soon.

*** Please rate helpful posts ***
New Member

Re: problem with guest net and radius

I'm experiencing the same problem. My customer considers the fake radius a workarround and asked for a solution. So I guess I need to find either a bug report or an official Cisco Document to explain it.

Changing from PAP to CHAP would cause an authentication failure by wrong protocol, but I consider this another workarround...

New Member

Re: problem with guest net and radius

Changing pap to chap has solved my issue !

But heres another one, this feature cannot be configured from WCS.

Is Cisco slipping up ?

New Member

Re: problem with guest net and radius

Uncheck the "Network User" option on the security page of the WLC where the radius servers are configured. This option is a global config that will pass the users' crdentials on to the configured radius servers when web authentication fails.

CreatePlease login to create content