Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC 4400/Web Authentication and IAS Radius

Hi,

I am testing out a wireless mesh design and am using a 4402 wlc with a handfull of 1510 AP's.

I have a number of vlans and IAS authentication configured and all is working well.

The issue I have is with a public access wlan. I have the wlan/vlan configured correctly, DHCP works fine and devices can forward traffic ok. The wlan is set up with no encryption or authentication currently as we want to use the web authentication feature.

I can get the client devices to redirect to the Web Authentication page ok but authentication with the defined IAS radius server fails.

Having had a look in the event viewer of the IAS server it appears to be failing because the NAS-PORT-TYPE is undefined.

So either the 4400 is not sending the NAS type or the IAS is not understanding it.

radius on all the other vlans works perfectly so i cant see why the NAS type is not being provided with web authentication.

Can anyone shed any light on the possible/probable causes?

Cheers

Shaun

7 REPLIES
New Member

Re: WLC 4400/Web Authentication and IAS Radius

Hi,

You are saying the WLAN is setup without any encryption and authentication. Then the guest should be able to browse the web transparently. What NAS log says doesn't matter.

I guess you are using some form of user id and password security on the guest page though - is that correct? If that is correct then you should define this authentication type on RADIUS otherwise it won't be able to process guest's request.

New Member

Re: WLC 4400/Web Authentication and IAS Radius

Almost..

The guest/public vlan is open, but the WLC 4400 has a web authentication feature which operated independently of any wireless authentication methods.

It intercepts http traffic from the client and redirects it to either a built in web authentication page, or an external custom page. In either case, the user is prompted for a username and password. This is then checked against a RADIUS server and authenticated before the user is allowed anywhere else.

Its this authentication process which is failing.

hope this explains it better.

Cheers

Shaun

New Member

Re: WLC 4400/Web Authentication and IAS Radius

Hi Shaun,

Do you allready have this running? I have the same problem. Configured wlan with web authentication and configured IAS radius server to authenticate.

Can you maybe tell me what I have to configure on the IAS radius server?

Hall of Fame Super Silver

Re: WLC 4400/Web Authentication and IAS Radius

The issue is with the remote access policy ins IAS. You have to have a seperate policy for webauth. You should have the NAS-PORT-Type as wireless and specify the NAS-IP-Address with the WLC management ip address. On the WLC general tab, make sure ppp is configured.

In IAS, the Authentication tab, PAP SAP should be the only thing checked. In the advanced tab,service type is login and framed-protocol is ppp.

-Scott
*** Please rate helpful posts ***
New Member

Re: WLC 4400/Web Authentication and IAS Radius

Hi

Thanks for the reply. I treid it but still it doesn't work. I really need i

t working for a customer. I can't find the ppp item on the wlc general tab.

I hope someone can help.

I have this logfile from the WLC debug aaa all enable:

(Cisco Controller) >Fri Nov 9 11:40:16 2007: Unable to find requested user entry for marcel

Fri Nov 9 11:40:16 2007: ReProcessAuthentication previous proto 8, next proto 1

Fri Nov 9 11:40:16 2007: AuthenticationRequest: 0x146aa374

Fri Nov 9 11:40:16 2007: Callback.....................................0x103fbc1c

Fri Nov 9 11:40:16 2007: protocolType.................................0x00000001

Fri Nov 9 11:40:16 2007: proxyState...................................00:13:CE:E7:D2:B1-00:00

Fri Nov 9 11:40:16 2007: Packet contains 8 AVPs (not shown)

Fri Nov 9 11:40:16 2007: 00:13:ce:e7:d2:b1 Successful transmission of Authentication Packet (id 35) to 192.168.5.51:1812, proxy state 00:13:ce:e7:d2:b1-00:01

Fri Nov 9 11:40:16 2007: 00000000: 01 23 00 78 00 00 00 00 00 00 00 00 00 00 00 00 .#.x............

00000010: 00 00 00 00 01 08 6d 61 72 63 65 6c 02 12 9e 07 ......marcel....

00000020: db 12 09 44 22 14 62 0d d2 bc ed f3 2f 62 06 06 ...D".b...../b..

00000030: 00 00 00 01

Fri Nov 9 11:40:16 2007: 00000000: 03 23 00 14 58 8c 22 78 27 9e f5 6f 51 db 6c e2 .#..X."x'..oQ.l.

Fri Nov 9 11:40:16 2007: 00000010: d2 53 8d 81 .S..

Fri Nov 9 11:40:16 2007: ****Enter processIncomingMessages: response code=3

Fri Nov 9 11:40:16 2007: ****Enter processRadiusResponse: response code=3

Fri Nov 9 11:40:16 2007: 00:13:ce:e7:d2:b1 Access-Reject received from RADIUS server 192.168.5.51 for mobile 00:13:ce:e7:d2:b1 receiveId = 0

Fri Nov 9 11:40:16 2007: AuthorizationResponse: 0x120a8c28

Fri Nov 9 11:40:16 2007: structureSize................................28

Fri Nov 9 11:40:16 2007: resultCode...................................-4

Fri Nov 9 11:40:16 2007: protocolUsed.................................0x00000001

Fri Nov 9 11:40:16 2007: proxyState...................................00:13:CE:E7:D2:B1-00:00

Fri Nov 9 11:40:16 2007: Packet contains 0 AVPs:

Fri Nov 9 11:40:16 2007: Authentication failed for marcel

Hall of Fame Super Silver

Re: WLC 4400/Web Authentication and IAS Radius

the PPP setting is in the general tab it is one of the drop down boxes. depending on the code, it usually is the last drop down box.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: WLC 4400/Web Authentication and IAS Radius

Looks like the IAS rejected the user. What does the IAS server EV logs look like?

-Scott
*** Please rate helpful posts ***
804
Views
0
Helpful
7
Replies
CreatePlease to create content