Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Users authenticated by Radius are also do MGMT auth to WLC with their AD credentials

 

 

Introduction

In this document Cisco TAC engineer " Samson Aloor " has explained about issue when "Wireless users authenticated by Radius server are also able to do MGMT authentication to WLC with their AD credentials".

Problem Subcategory

5500 Series Wireless LAN Controller (AIR-CT5508)

Problem Type

Configuration Assistance

Hardware

Cisco 5500 Series Wireless LAN Controller - AIR-CT5508-K9

1327309355.jpg

Software Version

7.4.110.0

Problem Details

User installed new 5508 WLC into network and only local admin account is setup. TACACS server is not configured but user found the WLC is able to access by any valid domain account.

Problem Description

Wireless/wired users were also able to login to the WLC as a mgmt. whereas user has created just a single local admin account.

Resolution

It was found that the RADIUS authentication server was also configured for doing the management authentication.

If we configure a RADIUS authentication serve, the “Management” check box is enabled by “default” for management authentication. If this feature is enabled, this entry is considered as the RADIUS authentication server for management users, and authentication requests go to the RADIUS server.

We have also verified by uncheck the option to disable “mgmt. auth” on the Radius server.

http://www.cisco.com/image/gif/paws/71989/manage-wlc-users-radius-02.gif

 

Troubleshooting

debug aaa events enable command output with Service-Type attribute is set to Administrative on the ACS.

(Cisco Controller)>debug aaa events enable
Mon Aug 13 20:17:02 2011: AuthenticationRequest: 0xa449f1c
Mon Aug 13 20:17:02 2011: Callback.....................................0x8250c40
Mon Aug 13 20:17:02 2011: protocolType.................................0x00020001
Mon Aug 13 20:17:02 2011: proxyState.......................1D:00:00:00:00:00-00:00
Mon Aug 13 20:17:02 2011: Packet contains 5 AVPs (not shown)
Mon Aug 13 20:17:02 2011: 1d:00:00:00:00:00 Successful transmission of 
Authentication Packet (id 11) to 172.16.1.1:1812, proxy state 
1d:00:00:00:00:00-00:00
Mon Aug 13 20:17:02 2011: ****Enter processIncomingMessages: response code=2
Mon Aug 13 20:17:02 2011: ****Enter processRadiusResponse: response code=2
Mon Aug 13 20:17:02 2011: 1d:00:00:00:00:00 Access-Accept received 
from RADIUS server 172.16.1.1 for mobile 1d:00:00:00:00:00 receiveId = 0
Mon Aug 13 20:17:02 2011: AuthorizationResponse: 0x9802520
Mon Aug 13 20:17:02 2011: structureSize................................100
Mon Aug 13 20:17:02 2011: resultCode...................................0
Mon Aug 13 20:17:02 2011: protocolUsed.................................0x00000001
Mon Aug 13 20:17:02 2011: proxyState.......................1D:00:00:00:00:00-00:00
Mon Aug 13 20:17:02 2011: Packet contains 2 AVPs:
Mon Aug 13 20:17:02 2011: AVP[01] Service-Type...........0x00000006 (6) (4 bytes)
Mon Aug 13 20:17:02 2011: AVP[02] Class.........
CISCOACS:000d1b9f/ac100128/acsserver (36 bytes)

The Service-Type attribute is passed onto the WLC.

More Information

RADIUS Server Authentication of Management Users on Wireless LAN Controller (WLC) Configuration Example

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 07:04 AM
Updated by:
 
Contributors