Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC 4400 issue on "user login policies" parameter.

Hi,

I'm using a Cisco Wireless controller in my company.
(the model is a AIR-WLC4402-50-K9 in 4.2.207.0 version).

The WLAN is configured with WPAv2 AES and 802.1X (PEAP MS-CHAPv2) authentication on an external Microsoft IAS server (2003 R2).

the authentication rely on Active Directory login and password.

The user authentication works fine and the WLAN too.

But it's possible for a single user to log on different laptops with the same AD login and password and use the wireless network.

And it has to be forbiden by  "user login policies" parameter set to 1 on the WLC (in security parameters).

Does anybody says if it's a known issue and how to solve this problem?

thanks,

raphael Paviot.

  • Security and Network Management
2 REPLIES
Gold

Re: WLC 4400 issue on "user login policies" parameter.

The user login policies is to limit the number of concurrent logins of the local netusers of the controller.  It doesn't track the usernames from radius since the usename may not get picked up depending on the EAP type.  You can limit the number of concurrent logins from the Radius server.

New Member

Re: WLC 4400 issue on "user login policies" parameter.

Dancampb,

Many thanks ,  you're right, I have to find the solution on IAS server side.

In fact, I have also applied these commands on the controller and the max-user login works (in the case of an externan radius server).

I have seen it in the "message logs".

(Cisco Controller) config>advanced eap max-login-ignore-identity-response disable

(Cisco Controller) config> netuser maxuserLogin 1

But the problem still remain , because the IAS server is not case sensitive for user logins instead of the Wireless Controller.

For exemple:

raphaelpaviot login and RaphaelPAVIOT login are:

-one user for the IAS server.

-two different users on the WLC.

cordially.

1045
Views
0
Helpful
2
Replies
This widget could not be displayed.