Jason keep up the good work .. We appreciate you man ...
George Stefanick On Feb 17, 2011, at 7:32 PM, Jason Boyers <[email protected]> wrote: > I should add to this (written after taking a red-eye flight.) I was bothered > by how I thought that the network user parameter worked, not by anyone. And, > someone was kind enough to point out the purpose of the network user > parameter to me. > > Now, there is a scenario (at least one) which does require that the network > user parameter be checked. If you are authenticating APs to WLC using a > RADIUS server, you must select it. That can cause complications if there are > requirements for Local EAP, but it can be worked around :) > > Jason Boyers - CCIE #26024 (Wireless) > Technical Instructor - IPexpert, Inc. > Mailto: [email protected] > > On Thu, Feb 17, 2011 at 6:02 AM, Jason Boyers <[email protected]> wrote: > Glad it was helpful to you :). That had bothered me as well, so you're not > alone. > > Jason Boyers - CCIE #26024 (Wireless) > Technical Instructor - IPexpert > [email protected] > > On Feb 17, 2011, at 3:30 AM, "Silverline,Tim" <[email protected]> wrote: > >> Thanks Dominic. I sent a follow up email shortly after this pointing out my >> oversight as I read the final solution. >> >> >> >> I was very quick to react (in poor judgment apparently) since this specific >> issue has bothered and puzzled me for quite some time. In fact I brought it >> up in a CCIE wireless bootcamp I recently attended (I won’t name the vendor >> because the class was a large disappointment) and many other locations >> including several Cisco wireless sessions and was never once provided this >> guidance. >> >> >> >> I am very grateful to have learned this new detail and happy that Jason >> included it in this workbook. >> >> >> >> Tim >> >> >> >> From: Stalder Dominic [mailto:[email protected]] >> Sent: Wednesday, February 16, 2011 11:14 PM >> To: Silverline,Tim; [email protected] >> Subject: Re: [CCIE Wireless] LAB 4.6 Observation >> >> >> >> Hi Tim >> >> Your are absolutly right concerning the fact, that WLC uses RADIUS if a >> server is configured globally, even it is not specified under security in >> the WLAN profile. But the solution for IPX1 ist correct in the DSG, because >> of this statement: >> >> “To ensure that users on IPX1 are not authenticated via RADIUS, make sure >> thate the “Network” (User) box is unchecked for the RADIUS server” >> >> You don’t need to completely disable the RADIUS server, you just can disable >> the user authentication, so you are still able to authenticate management >> users, as an example. See attached screenshot. >> >> Regards >> Dominic >> >> >> Von: "Silverline,Tim" <[email protected]> >> Datum: Wed, 16 Feb 2011 23:49:12 -0600 >> An: "[email protected]" <[email protected]> >> Betreff: [CCIE Wireless] LAB 4.6 Observation >> >> Part of the IPX1 configuration states: “Ensure that users won’t be able to >> use RADIUS for authentication” >> >> The DSG shows this is accomplished by simply not selecting RADIUS servers >> under the AAA policy within the IPX1 WLAN. >> >> Just wanted to point out that this is not actually a valid method of >> ensuring RADIUS is not used on Cisco’s controllers. >> >> Something that has been frustrating to me about WLCs for quite some time – >> even if no RADIUS servers are selected within a particular WLAN – the >> controller will still attempt to authenticate to a RADIUS server from the >> authentication servers listed under the security tab. >> >> The only way to actually prevent this is by removing every single RADIUS >> server from the controller thereby disabling RADIUS authentication entirely. >> >> I do not believe this has been fixed even in the latest versions of code >> (though I have not tested on 7.x and later). >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> > >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
