I should add to this (written after taking a red-eye flight.) I was bothered by how I thought that the network user parameter worked, not by anyone. And, someone was kind enough to point out the purpose of the network user parameter to me.
Now, there is a scenario (at least one) which does require that the network user parameter be checked. If you are authenticating APs to WLC using a RADIUS server, you must select it. That can cause complications if there are requirements for Local EAP, but it can be worked around :) Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: *[email protected]* On Thu, Feb 17, 2011 at 6:02 AM, Jason Boyers <[email protected]> wrote: > Glad it was helpful to you :). That had bothered me as well, so you're > not alone. > > Jason Boyers - CCIE #26024 (Wireless) > Technical Instructor - IPexpert > [email protected] > > On Feb 17, 2011, at 3:30 AM, "Silverline,Tim" <[email protected]> > wrote: > > Thanks Dominic. I sent a follow up email shortly after this pointing > out my oversight as I read the final solution. > > > > I was very quick to react (in poor judgment apparently) since this specific > issue has bothered and puzzled me for quite some time. In fact I brought it > up in a CCIE wireless bootcamp I recently attended (I won’t name the vendor > because the class was a large disappointment) and many other locations > including several Cisco wireless sessions and was never once provided this > guidance. > > > > I am very grateful to have learned this new detail and happy that Jason > included it in this workbook. > > > > Tim > > > > *From:* Stalder Dominic [mailto:[email protected]] > *Sent:* Wednesday, February 16, 2011 11:14 PM > *To:* Silverline,Tim; [email protected] > *Subject:* Re: [CCIE Wireless] LAB 4.6 Observation > > > > Hi Tim > > Your are absolutly right concerning the fact, that WLC uses RADIUS if a > server is configured globally, even it is not specified under security in > the WLAN profile. But the solution for IPX1 ist correct in the DSG, because > of this statement: > > “To ensure that users on IPX1 are not authenticated via RADIUS, *make sure > thate the “Network” (User) box is unchecked for the RADIUS server*” > > You don’t need to completely disable the RADIUS server, you just can > disable the user authentication, so you are still able to authenticate > management users, as an example. See attached screenshot. > > Regards > Dominic > > ------------------------------ > > *Von: *"Silverline,Tim" <[email protected]> > *Datum: *Wed, 16 Feb 2011 23:49:12 -0600 > *An: *"[email protected]" < > [email protected]> > *Betreff: *[CCIE Wireless] LAB 4.6 Observation > > Part of the IPX1 configuration states: “Ensure that users won’t be able to > use RADIUS for authentication” > > The DSG shows this is accomplished by simply not selecting RADIUS servers > under the AAA policy within the IPX1 WLAN. > > Just wanted to point out that this is not actually a valid method of > ensuring RADIUS is not used on Cisco’s controllers. > > Something that has been frustrating to me about WLCs for quite some time – > even if no RADIUS servers are selected within a particular WLAN – the > controller will still attempt to authenticate to a RADIUS server from the > authentication servers listed under the security tab. > > The only way to actually prevent this is by removing every single RADIUS > server from the controller thereby disabling RADIUS authentication entirely. > > I do not believe this has been fixed even in the latest versions of code > (though I have not tested on 7.x and later). > > > ------------------------------ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
