Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WLC 5508 Radius Server

what is the authentication list precedence for radius authentication?

global list       network user checkbox

per wlan        aaa server add

global list       network user uncheck

i  have 3 radius server, 2 of which are use for gloabl authentication(all  ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius  server fails the wlc use the 3rd one, but the 3rd only has database for  1 site users,

do  i need to uncheck the network user checkbox on the 3rd radius and  create a hreap group then associate the 3rd one?  i dont want the 3rd  radius to be able for the gloabl list to take this as normal globla  radius. any commnets?

7 REPLIES
Cisco Employee

Re: WLC 5508 Radius Server

Could you please elaborate your question?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
Community Member

WLC 5508 Radius Server

what is the authentication list precedence for radius authentication?

global list       network user checkbox

per wlan        aaa server add

global list       network user uncheck

i have 3 radius server, 2 of which are use for gloabl authentication(all ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius server fails the wlc use the 3rd one, but the 3rd only has database for 1 site users,

do i need to uncheck the network user checkbox on the 3rd radius and create a hreap group then associate the 3rd one?  i dont want the 3rd radius to be able for the gloabl list to take this as normal globla radius. any commnets?

Cisco Employee

Re: WLC 5508 Radius Server

I agree with Shankar. If the "AAA Server" order on the WLAN (WLAN > Security > AAA Server) is different to the RADIUS Authentication (Security > AAA ), the WLAN AAA Server setting will take precedence over the global setting.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
Cisco Employee

Re: WLC 5508 Radius Server

You may also go through the below listed link to understand radius failover on WLC.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
Community Member

WLC 5508 Radius Server

after run few labs, this is what is got.

the radius server used in the global list needs to have the network user checked if no wlan has it under the wlan aaa security.  If wlan has no server under wlan, the wlan will use the global list starting from lower index.

if wlan has the radius server under the aaa security tab, network user uncheck is ok under the global radius list, as long as it is selected in the wlan aaa security and only will use the radius server specified there, it will not use any radius from glabal list that are not selected.

Cisco Employee

WLC 5508 Radius Server

Osvaldo,

Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.

Quote:

  • Network UserNetwork user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  • Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server

AAA server defined on WLAN takes precedence over global.

Community Member

Re: WLC 5508 Radius Server

Presedance - The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest

account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes

but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account

expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences

a recurring session timeout that requires authentication.

global list :- By default, the controller sources all RADIUS traffic from the IP address on its management interface, which

means that even if a WLAN has specific RADIUS servers configured instead of the global list, the identity

used is the management interface IP address.

per wlan :- You can display different web authentication login, login failure, and logout pages to users per WLAN. This

feature enables user-specific web authentication pages to be displayed for a variety of network users, such as

guest users or employees within different departments of an organization.

1361
Views
5
Helpful
7
Replies
CreatePlease to create content