I have reciently attmepted to upgrade our 5508 DMZ WLC to 220.127.116.11 from 7.2.x - we are using Cisco NAC Guest Server version 2.0.3 for web portal authentication.
Upon completing the upgrade to the WLC guest users were not able to authenticate and I was seeing the following log message on the NAC server.
_SYSTEM_ ( - 10.3.240.10) User trying to authenticate from invalid location: email@example.com 2709 05-Mar-2014 18:30:58
I have seen CSCsq86376 but we are using the IP Address as the attribute.
Has any one else run into this problem before or could perhaps point me in the right diretion of potential configuraiton to change/further trouble shooting?
Thank you in advance.
You might have to look at your pre-auth ACL's on the WLC. You can also post on the security AAA forum and see if there was a change in the WLC code that affected external webauth... make sure on the WLC WLAN AAA tab that you don't have this enabled:
Radius Server Overwrite interface
Or on the WLAN General tab that the NAS-ID is still the hostname of the WLC. This requires a reboot if you change it.
*****Help out other by using the rating system and marking answered questions as "Answered"*****
Just done the same as the above, but then reverted back to 7.5 and put original config on.
But still got the same issue.
Any help would be much appreciated
Has the upgrade changed the webauth files.??
I have done many upgrades to v7.6 and never had any issue with WebAuth failing. Since you downgraded and also restored your config, the only thing that would of changed is the WebAuth or certificates that isn't part of the restore. Are you using an external authentication server, has that changed? You might be better off opening a TAC case, because something else must of happen if you did a restore and it's still broke.
Thank for the prompt reply.
No we are not using a external Auth server, just local.
The portal does use https and it prompts you to accept cert.
Think a TAC case it will have to be.
So the WebAuth is pretty straight forward. Local auth and you don't have a 3rd party cert so you will get a certificate error. So what is the issue? All users are not working, or just certain one?
Nothing changed on the NAC server? You should do a file compare of the config from when it was working and now. The NGS should have a detailed error that you can look at also. Make sure your NGS and WLC shared secret is correct. Might be a good idea to enter that again.
Thanks for the help.
Got this sorted as per abwahid in a previous post above.
Just totally missed this when I checked config.
But on WLC under Security/Radius Authentication Servers.
At the top the "Auth Call Station ID Type" was set to system mac address.
Set to IP Address and booom...working.
Any customer that has the calling-station-id attribute on their controller set to MAC address will not pass any authentications, change the attribute to use the IP address instead of the MAC address and then try.