Re: Using RADIUS for WiFi authentication

angel-moon · ‎07-24-2012

All,

I am wondering if anyone has any experience using RADIUS to authenticate users to the public WiFi. I want to have a single username and/or password for up to a couple of hundred laptops. I want them to all have to authenticate using the username and/or password before being allowed to connect to the Internet.

Non-cisco APs involved and they are all autonomous. It would be great if there was a way to redirect the initial web page of each user as well. Nomadix makes devices like this and I know Cisco LWAPS can do this as well but that's not an option in this case. Budget is an issue.

Thanks in advance. All replies rated.

Amjad Abdullah · ‎07-24-2012

What type of auth you use?
You can simply use radius with single username and use WriPA-Enterprise or WPA2-Enterprise as a security method on the WLAN.

Rating useful replies is more useful than saying "Thank you"

angel-moon · ‎07-27-2012

Thanks. Could I use RADIUS without WPA? The need is to only authenticate users to allow them to log onto the Internet. Encryption is not needed.

George Stefanick · ‎07-27-2012

In theory yes. BUT, Ive tested this when I was labbing and the Cisco WLC will not allow it. But in theroy, you should be able to. RADIUS would be used for auth and data would not be encrypted .

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Amjad Abdullah · ‎07-27-2012

With cisco controller you can use web authentication with RADIUS in back end auth. Not sure if this is available with your APs (you probably mentioned it is not).

But if you don't care if encryption is exist or not why don't you keep it exist. This will allow you to use the radius. The overhead though will be client side configuration (if needed).

Rating useful replies is more useful than saying "Thank you"

George Stefanick · ‎07-27-2012

Amjad,

Good point, with web auth. Have you tried it with a production SSID? I had no luck at all with it .. +5

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Amjad Abdullah · ‎07-27-2012

Thanks George.

Yes I tried it and it works. But with web-auth it works a bit stupid if you have LDAP or local as backup.

With normal dot1x/EAP with radius if primary server rejects the request it does not try the secondary.

With web auth, if you choose more than method (local, radius or LDAP), then if first method ejects the request it will try the next one.

+5 from me to you as well

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

George Stefanick · ‎07-27-2012

Without web auth you were able to select 802.1X WITHOUT wpa and you got it to work ? What code on the wlc I'm just curious.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Amjad Abdullah · ‎07-27-2012

Not without web-auth. I used it WITH web auth.

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"