cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
1
Helpful
10
Replies

Radius Accounting with Web-Auth Passthrough

g.peart
Level 1
Level 1

Hi All,

If Web-Auth is set to passthrough with email input as username is it possible to log email/username

string to radius accounting or will I have to use syslog and a script.

I have Windows NPS for my 802.1x and I get the accounting data fine because I am using radius for auth & acct,

but nothing at all for my web-auth users.

10 Replies 10

Saurav Lodh
Level 7
Level 7

a similiar discussion for you

https://supportforums.cisco.com/thread/2004163, please refer

I used the template, but is there any issue with the login.html file that comes with the Webauth bundle.

When doing webauth to external server I get the login page twice and the redirect comes back has

"The requested URL /undefined was not found on the server"

I am using the virtual controller with 7.4 code and internal webauth is not supported

You might just be better off opening a TAC case as it still might be an issue with the vWLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

May have to, trouble is far to much stuff doesn't work as it's meant to, into the arms of Aruba at this rate.

Well... I don't really like the vWLC. Features are not there compare to hardware.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Nor do I, common features and configurations that work on the 2500/5508 series behave far too oddly on the vWLC, thanks anyway.

Hi,

I would like to archieve the same what g.peart would like but that discussion you linked is not available. (I have 3504 wlc, not vWLC)

Could you add any information about how can I do that?

Thanks!

You should think about using an external web auth provider which will include that kind of feature as standard.  The internal web auth really isn't designed for that @schulcz 

I downloaded the webauth bundle from Cisco site for my controller that contains a readme file states that the wlc can send these data to the RADIUS server.

Quote from the readme file:

WLC Passthrough with Email

This is an example custom webauth bundle when passthrough (user does 'accept' or 'reject') is in use and there is a radius-server which will be used to collect users' entered email addresses. The 'Email Input' button under the WLAN also needs to be checked. The WLC will not make a decision based on the users' email but will forward the email to the radius-server in accounting records when it is entered. While the WLC code was enhanced with code changes as a result of CSCsu50080 which requires that the user put an '@' sign in the email, there is nothing to prevent users from entering mickey.mouse@guesswhere.com.

When email is configured, 'debug aaa all enable' will show the WLC sending an accounting record to the radius-server with:

User-Name....bozo@the.clown
Nas-Port (x1d)
NAS-IPaddress (in 4 hex octets)
framed-ip-address (that the user has in 4 hex octets)
NAS-Identifier (system name of the WLC)
Airespace/WLAN-Identifier (on the WLC)
Calling-Station-Id (PC's mac)
Called-station-id (WLC's ip address)

and other attributes including Acct-Session-Id, Acct-Authenticator, Tunnel-Type xd, tunnel-medium-type x6, tunnel-group-id '5', Acct-Status-Type.

 

 

Ah well seems like you have the answer there already (I wasn't aware of that before) - are you using that now?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: