Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC Web Auth with Radius server fails

Guys,

I have setup web authentication for a guest SSID.  When a guest connects to the guest SSID, they are given the correct IP address.  The guest then sends a request to say google.com and they get the redirect to the internal web auth login page hosted on the WLC.  User enters username and password and gets "Login Error.  THe User Name and Password combination you have entered is invalid. Please try again"  However, if you check the logs on the Radius server, you see that the user is authenticated and is allowed.

I ran a debug AAA on the WLC and I see Access-Accept received from RADIUS server for guest ID.  Anyone have any suggestions?  I'm out of ideas.

Below is some of the logs I pulled from the failed attempts.

Fri Mar  5 15:41:17 2010: 00:1e:52:70:e7:34 Sending Accounting request (2) for station 00:1e:52:70:e7:34
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Successful transmission of Authentication Packet (id 232) to 10.222.71.62:1813, proxy state 00:1e:52:70:e7:34-52:70
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Access-Challenge received from RADIUS server 10.222.71.62 for mobile 00:1e:52:70:e7:34 receiveId = 3
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Successful transmission of Authentication Packet (id 233) to 10.222.71.62:1813, proxy state 00:1e:52:70:e7:34-52:70
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Access-Challenge received from RADIUS server 10.222.71.62 for mobile 00:1e:52:70:e7:34 receiveId = 3
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Successful transmission of Authentication Packet (id 234) to 10.222.71.62:1813, proxy state 00:1e:52:70:e7:34-52:70
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Access-Challenge received from RADIUS server 10.222.71.62 for mobile 00:1e:52:70:e7:34 receiveId = 3
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Successful transmission of Authentication Packet (id 235) to 10.222.71.62:1813, proxy state 00:1e:52:70:e7:34-52:70
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Access-Challenge received from RADIUS server 10.222.71.62 for mobile 00:1e:52:70:e7:34 receiveId = 3
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Successful transmission of Authentication Packet (id 236) to 10.222.71.62:1813, proxy state 00:1e:52:70:e7:34-52:70
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Access-Challenge received from RADIUS server 10.222.71.62 for mobile 00:1e:52:70:e7:34 receiveId = 3
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Successful transmission of Authentication Packet (id 237) to 10.222.71.62:1813, proxy state 00:1e:52:70:e7:34-52:70
Fri Mar  5 15:41:18 2010: 00:1e:52:70:e7:34 Access-Challenge received from RADIUS server 10.222.71.62 for mobile 00:1e:52:70:e7:34 receiveId = 3
Fri Mar  5 15:41:30 2010: 00:1e:52:70:e7:34 Sending Accounting request (2) for station 00:1e:52:70:e7:34
Fri Mar  5 15:42:04 2010: 00:1e:52:70:e7:34 Successful transmission of Authentication Packet (id 211) to 10.222.68.62:1813, proxy state 00:1e:52:70:e7:34-52:70
Fri Mar  5 15:42:04 2010: 00:1e:52:70:e7:34 Access-Accept received from RADIUS server 10.222.68.62 for mobile 00:1e:52:70:e7:34 receiveId = 0

Fri Mar  5 15:09:30 2010: 00:1e:52:70:e7:34 Username entry (madison_guest) created for mobile 00:1e:52:70:e7:34
Fri Mar  5 15:09:30 2010: 00:1e:52:70:e7:34 Plumbing web-auth redirect rule due to user logout for 00:1e:52:70:e7:34
Fri Mar  5 15:09:30 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Deleting mobile policy rule 155
Fri Mar  5 15:09:30 2010: 00:1e:52:70:e7:34 Adding Web RuleID 156 for mobile 00:1e:52:70:e7:34
Fri Mar  5 15:09:30 2010: 00:1e:52:70:e7:34 Web Authentication failure for station 00:1e:52:70:e7:34
Fri Mar  5 15:09:30 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Reached ERROR: from line 4237
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Deleting policy rule
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Deleted mobile LWAPP rule on AP [00:17:0f:d8:b9:30]
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 Updated location for station 00:1e:52:70:e7:34 - old AP 00:00:00:00:00:00-0, new AP 00:17:0f:8c:12:c0-1
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 Association received from mobile 00:1e:52:70:e7:34 on AP 00:17:0f:8c:12:c0
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 Applying site-specific override for station 00:1e:52:70:e7:34 - vapId 8, site 'Floor_10_Access_Points', interface 'ssid_public_floor_10'
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1080)
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 STA: 00:1e:52:70:e7:34 - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Change state to START (0)
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 START (0) Initializing policy
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 START (0) Change state to AUTHCHECK (2)
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4)
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:17:0f:8c:12:c0
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 L2AUTHCOMPLETE (4) Change state to WEBAUTH_REQD (8)
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Adding TMP rule
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Adding Fast Path rule
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8)
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Deleting mobile policy rule 156
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 Adding Web RuleID 157 for mobile 00:1e:52:70:e7:34
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Adding TMP rule
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Replacing Fast Path rule
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8)
Fri Mar  5 15:09:36 2010: 00:1e:52:70:e7:34 10.222.190.182 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)

Thanks,

Justin

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: WLC Web Auth with Radius server fails

In the Advanced tab in Edit Dial-In Profile, make sure the Service Type is set to Login.  If that doesn't work, post the error that shows up in the IAS event viewer.

-Scott
*** Please rate helpful posts ***
7 REPLIES
Hall of Fame Super Silver

Re: WLC Web Auth with Radius server fails

What radius server are you using?

-Scott
*** Please rate helpful posts ***
New Member

Re: WLC Web Auth with Radius server fails

IAS Radius server

Hall of Fame Super Silver

Re: WLC Web Auth with Radius server fails

In the Advanced tab in Edit Dial-In Profile, make sure the Service Type is set to Login.  If that doesn't work, post the error that shows up in the IAS event viewer.

-Scott
*** Please rate helpful posts ***
New Member

Re: WLC Web Auth with Radius server fails

Scott,

That worked!! Thank you so much.  The service type was set to framed.

Thank you once again,

Justin

Hall of Fame Super Silver

Re: WLC Web Auth with Radius server fails

No problem.  Just remember this is only for webauth.  EAP would need to be framed.

-Scott
*** Please rate helpful posts ***
New Member

WLC Web Auth with Radius server fails

I am having this same problem however i am using RSA Authentication Manager as RDIUS, does nayone know if the settings are the same?

WLC Web Auth with Radius server fails

This document was generated from the following discussion: WLC Web Auth with Radius server fails

Thanks & Regards
3498
Views
0
Helpful
7
Replies