Also one thing to add here. Don´t know if anyone mentioned it this time around. If any of the radius servers under security have the network box checked. A specific WLAN with one radius server fails, the WLC will check all Radius servers with network box checked. So WLAN´s will be sharing stuff. If you want to have controll over this a disable of the network box as a default way of doing it might be a good idea. Then a certain WLAN will only check the radius server defined under it. Not all the global Radius servers.
regards. Kristjan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: 30. júní 2011 07:21 To: [email protected] Subject: CCIE_Wireless Digest, Vol 27, Issue 46 Send CCIE_Wireless mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Wireless digest..." Today's Topics: 1. Re: 802.1x Authentication sequence (Leigh Jewell) 2. Re: 802.1x Authentication sequence (Victor Platov (viplatov)) 3. Re: Second attempt, Possibly fail :( (Stefan Angerer) ---------------------------------------------------------------------- Message: 1 Date: Thu, 30 Jun 2011 14:22:38 +1000 From: Leigh Jewell <[email protected]> To: "Victor Platov (viplatov)" <[email protected]> Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence Message-ID: <[email protected]> Content-Type: text/plain; charset="windows-1252" Hi Victor, The first paragraph is talking about the local database and the second paragraph is talking about local EAP. The key difference here is the local database is checked even if the Radius server doesn't have an entry for the users. With Local-EAP, if the Radius server responds (regardless if the user exists or not) then it is *never* checked. Cheers, Leigh On 29 June 2011 23:15, Victor Platov (viplatov) <[email protected]> wrote: > Hi team,**** > > ** ** > > 4.2 configuration guide says:**** > > ** ** > > ?The *controller passes client information to the RADIUS authentication > server first. If the client information does not match a RADIUS database > entry, the local user database is polled. Clients located in this database > are granted access to network services if the RADIUS authentication fails or > does not exist.*? (page 5-15).**** > > ** ** > > But below on page 5-23 we can read different info: **** > > ** ** > > ?*If any RADIUS servers are configured on the controller, the controller > tries to authenticate the wireless clients using the RADIUS servers first. > Local EAP is attempted only if no RADIUS servers are found, either because > the RADIUS servers timed out or no RADIUS servers were configured**.*? > (page 5-23)**** > > ** ** > > I?ve tried it and found out that the second sentence is more accurate: if > Radius authentication returns Access-reject no other actions performed!*** > * > > ** ** > > What does that mean? **** > > That means we can not simultaneously use Local EAP authentication for > wireless clients and Authorize APs aganst AAA! For local EAP we should > uncheck ?network user? from RADIUS configuration but for APs authorization > we should check it!**** > > ** ** > > ** ** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> > > -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110630/c5503123/attachment-0001.html> ------------------------------ Message: 2 Date: Thu, 30 Jun 2011 08:46:40 +0200 From: "Victor Platov (viplatov)" <[email protected]> To: "Leigh Jewell" <[email protected]> Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" Hi Leigh, This doen't make sence for me cause local user database can be used for the following tasks: 1. Management user authentication: always local db is asked first, radius or tacacs second; 2. Network user authentication: there are two options a. Web auth: local db always asked first b. Eap auth: radius always asked first then if the radius is not online local db is used So from my opinion there is the only case when your correction can make sence is APs authorization... Actually my question was: Am I correct that we can not simultaneously enable APs AAA authorization and use local EAP on the same controller? From: Leigh Jewell [mailto:[email protected]] Sent: Thursday, June 30, 2011 8:23 AM To: Victor Platov (viplatov) Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence Hi Victor, The first paragraph is talking about the local database and the second paragraph is talking about local EAP. The key difference here is the local database is checked even if the Radius server doesn't have an entry for the users. With Local-EAP, if the Radius server responds (regardless if the user exists or not) then it is never checked. Cheers, Leigh On 29 June 2011 23:15, Victor Platov (viplatov) <[email protected]> wrote: Hi team, 4.2 configuration guide says: "The controller passes client information to the RADIUS authentication server first. If the client information does not match a RADIUS database entry, the local user database is polled. Clients located in this database are granted access to network services if the RADIUS authentication fails or does not exist." (page 5-15). But below on page 5-23 we can read different info: "If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured." (page 5-23) I've tried it and found out that the second sentence is more accurate: if Radius authentication returns Access-reject no other actions performed! What does that mean? That means we can not simultaneously use Local EAP authentication for wireless clients and Authorize APs aganst AAA! For local EAP we should uncheck "network user" from RADIUS configuration but for APs authorization we should check it! _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com <http://www.platinumplacement.com/> -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110630/6076a722/attachment-0001.html> ------------------------------ Message: 3 Date: Thu, 30 Jun 2011 07:20:04 +0000 From: Stefan Angerer <[email protected]> To: Chad Teal <[email protected]> Cc: Raul Manzano <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [OSL | CCIE_Wireless] Second attempt, Possibly fail :( Message-ID: <4D91831EDC64C8438174B1FBB00137269F3A0EAD@srvgraz07> Content-Type: text/plain; charset="iso-8859-1" Perfectly said, Chad :)!! Stefan CCIE #28054 (Wireless) On Wed, Jun 29, 2011 at 4:15 PM, Chad Teal <[email protected]<mailto:[email protected]>> wrote: You didn't fail. You just didn't pass this time. Stay at it. We will get through it together. On Wed, Jun 29, 2011 at 1:41 PM, Raul Manzano <[email protected]<mailto:[email protected]>> wrote: Hi Guys. I just done my second lab attempt and really I?m dissapointed with my performance. First, i didn't finish on time and, obviously, I could not review it. I?m angry because the exam was not too difficult (the first attempt seems me simpler) but I failed in my strategy and made me lose a lot ot time. Because there are not seats available before the november the 18th, I will wait for it to ripen the new laboratory and while this is happening I will continue working to improve my performance. Thanks to all for your help especially in the last month. I will rest for a two weeks and then keep studying in background :-) Best Regards. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> -- CT _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110630/9178786a/attachment.html> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 27, Issue 46 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
