Thanks Dominic. I sent a follow up email shortly after this pointing out my oversight as I read the final solution.
I was very quick to react (in poor judgment apparently) since this specific issue has bothered and puzzled me for quite some time. In fact I brought it up in a CCIE wireless bootcamp I recently attended (I won't name the vendor because the class was a large disappointment) and many other locations including several Cisco wireless sessions and was never once provided this guidance. I am very grateful to have learned this new detail and happy that Jason included it in this workbook. Tim From: Stalder Dominic [mailto:[email protected]] Sent: Wednesday, February 16, 2011 11:14 PM To: Silverline,Tim; [email protected] Subject: Re: [CCIE Wireless] LAB 4.6 Observation Hi Tim Your are absolutly right concerning the fact, that WLC uses RADIUS if a server is configured globally, even it is not specified under security in the WLAN profile. But the solution for IPX1 ist correct in the DSG, because of this statement: "To ensure that users on IPX1 are not authenticated via RADIUS, make sure thate the "Network" (User) box is unchecked for the RADIUS server" You don't need to completely disable the RADIUS server, you just can disable the user authentication, so you are still able to authenticate management users, as an example. See attached screenshot. Regards Dominic ________________________________ Von: "Silverline,Tim" <[email protected]> Datum: Wed, 16 Feb 2011 23:49:12 -0600 An: "[email protected]" <[email protected]> Betreff: [CCIE Wireless] LAB 4.6 Observation Part of the IPX1 configuration states: "Ensure that users won't be able to use RADIUS for authentication" The DSG shows this is accomplished by simply not selecting RADIUS servers under the AAA policy within the IPX1 WLAN. Just wanted to point out that this is not actually a valid method of ensuring RADIUS is not used on Cisco's controllers. Something that has been frustrating to me about WLCs for quite some time - even if no RADIUS servers are selected within a particular WLAN - the controller will still attempt to authenticate to a RADIUS server from the authentication servers listed under the security tab. The only way to actually prevent this is by removing every single RADIUS server from the controller thereby disabling RADIUS authentication entirely. I do not believe this has been fixed even in the latest versions of code (though I have not tested on 7.x and later). ________________________________ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
