Doh! Should have read till the end of the explanation.
I saw that IPX4 had configured the RADIUS server and in all of my testing until now I had always thought the Network User was required for any network authentication but I am completely wrong it seems and only the Network User option is required if you DON"T have it explicitly configured on the AAA server page. Took it out and indeed EAP-TLS still works but if I change IPX1 to 802.1x it doesn't even try to communicate. Definitely learned something there. Thanks Jason for that one. Tim From: Silverline,Tim Sent: Wednesday, February 16, 2011 9:49 PM To: [email protected] Subject: LAB 4.6 Observation Part of the IPX1 configuration states: "Ensure that users won't be able to use RADIUS for authentication" The DSG shows this is accomplished by simply not selecting RADIUS servers under the AAA policy within the IPX1 WLAN. Just wanted to point out that this is not actually a valid method of ensuring RADIUS is not used on Cisco's controllers. Something that has been frustrating to me about WLCs for quite some time - even if no RADIUS servers are selected within a particular WLAN - the controller will still attempt to authenticate to a RADIUS server from the authentication servers listed under the security tab. The only way to actually prevent this is by removing every single RADIUS server from the controller thereby disabling RADIUS authentication entirely. I do not believe this has been fixed even in the latest versions of code (though I have not tested on 7.x and later). Tim Silverline, CCIE #18490, CISSP World Wide Technology, Inc. Consulting Systems Engineer Mobile: 415.596.2160 E-mail: [email protected]<mailto:[email protected]>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
