WLC 4400 issue on "user login policies" parameter.

raphaelpaviot · ‎11-25-2009

Hi,

I'm using a Cisco Wireless controller in my company.
(the model is a AIR-WLC4402-50-K9 in 4.2.207.0 version).

The WLAN is configured with WPAv2 AES and 802.1X (PEAP MS-CHAPv2) authentication on an external Microsoft IAS server (2003 R2).

the authentication rely on Active Directory login and password.

The user authentication works fine and the WLAN too.

But it's possible for a single user to log on different laptops with the same AD login and password and use the wireless network.

And it has to be forbiden by "user login policies" parameter set to 1 on the WLC (in security parameters).

Does anybody says if it's a known issue and how to solve this problem?

thanks,

raphael Paviot.

dancampb · ‎11-25-2009

The user login policies is to limit the number of concurrent logins of the local netusers of the controller. It doesn't track the usernames from radius since the usename may not get picked up depending on the EAP type. You can limit the number of concurrent logins from the Radius server.

raphaelpaviot · ‎11-26-2009

Dancampb,

Many thanks , you're right, I have to find the solution on IAS server side.

In fact, I have also applied these commands on the controller and the max-user login works (in the case of an externan radius server).

I have seen it in the "message logs".

(Cisco Controller) config>advanced eap max-login-ignore-identity-response disable

(Cisco Controller) config> netuser maxuserLogin 1

But the problem still remain , because the IAS server is not case sensitive for user logins instead of the Wireless Controller.

For exemple:

raphaelpaviot login and RaphaelPAVIOT login are:

-one user for the IAS server.

-two different users on the WLC.

cordially.