Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC Management Admin via RADIUS

I am trying to have a management user authenticate via radius and have full admin privileges.

For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml

but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius?  Thanks.

Everyone's tags (4)
8 REPLIES
Cisco Employee

Re: WLC Management Admin via RADIUS

Hi,

Regarding the WLC using RADIUS for admin or logbbyambassador login, you only need the Service Type Radius attribute, so if you have a RADIUS server that can send this RADIUS attibute on the RADIUS access-accept, it is transparent for the WLC.

For lobby-admin -> IETF RADIUS Service-Type attribute set to Callback       Administrative.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: WLC Management Admin via RADIUS

My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL.  When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console.  The last time this happened I had to reset the WLC and start over.  I don't want to do that again, so I need some way to get into the WLC.

Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work.  My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS.  I have set the RADIUS (MS IAS) to return two attributes;

1. Vendor-Specific -Vendor Code 14179, Value=management

2. Service-Type - Value=Login

When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user.  But the login prompt for the GUI comes back as if it has failed.  Same with the CLI login.  Now I can't get logged into the WLC.  How can I get into the box to manage it again?

Thanks

Cisco Employee

Re: WLC Management Admin via RADIUS

Hi,

In order to authenticate a user via a RADIUS server, for controller       login and management, you must add the user to the RADIUS database with the       IETF RADIUS attributes Service-Type attribute set to the appropriate value       according to the user's privileges.

  • In order to set read-write privileges for the user, set the           Service-Type Attribute to Administrative.

  • In order to set read-only privileges for the user, set the           Service-Type Attribute to           NAS-Prompt.

  • For Lobby Ambassador you have to return IETF RADIUS Service-Type attribute set to Callback       Administrative.

Please find config example:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: WLC Management Admin via RADIUS

That solved my problem.  I have a RADIUS (MS IAS) defined, but the RADIUS is using LDAP as the database for authentication. We manage the users by Windows Groups, and in the RADIUS policy conditions check for a certain Windows group in the user profile.  If it passes, they can login.  If it fails they can't unless they use the administrator profile.

WLC Management Admin via RADIUS

How did you end up fixing it?  I am having the same issue.  I am using Windows 2008 server.  I have tried to set the RADIUS Attribute Service Type as Adminsitrative as well as Login didn't work.  Also what goes under Vendor Specific?

Note:  I am trying to use this just so I can log into the WLC.

New Member

hi, any response to

hi, any response to mali1977us would also assist myself. i can see my management user with AD authenticate fine but im still prompted with the login page. 

New Member

you will need to set:

you will need to set:

Service-Type:  Administrator

Cisco-AV-Pair:   shell:priv-lvl=15

--------

Khalid

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

The solution in my case was

The solution in my case was not checking the "Access-Request messages must contain the Message-Authenticator Attribute" option within Radius Client Settings

12742
Views
25
Helpful
8
Replies
CreatePlease to create content