Just to close this one out, you are both 100% correct. I am not sure why I thought having an authentication server checked for management users would also authenticate AP's.
Just goes to show how important peer review is to keep you on track. On 1 July 2011 23:45, Jason Boyers <[email protected]> wrote: > Victor is correct if you are using an external RADIUS server for AP > Authorization. In that case, the only way that the WLC knows which RADIUS > server to use is to start with the first one that has "Network User" > checked. Once that box is checked, WLANs will use it after any > authentication servers that are specifically listed under the "AAA Servers" > tab. In that case, Local EAP will only be used as it was originally > intended - if all external RADIUS servers are unavailable. And then, it > will check after 5 minutes (by default) to see if any are available again. > > If you are doing AP Authorization using only the local DB, then this is not > an issue. If you use both the local and external RADIUS, local is checked > first and then it goes to external, as Victor said. Also, the management > user settings do not in any way impact this. > > Last, you can either use RADIUS or TACACS+ for management of a WLC - not > both at the same time. > > > Jason Boyers - CCIE #26024 (Wireless) > Technical Instructor - IPexpert, Inc. > Mailto: *[email protected] > * > > > On Fri, Jul 1, 2011 at 3:23 AM, Victor Platov (viplatov) < > [email protected]> wrote: > >> That’s not true. For AP AAA Authentication you have to check network user. >> **** >> >> ** ** >> >> *From:* Leigh Jewell [mailto:[email protected]] >> *Sent:* Friday, July 01, 2011 9:17 AM >> >> *To:* Victor Platov (viplatov) >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence**** >> >> ** ** >> >> If you un-check 'Network User' on the radius server you can authenticate >> with local-eap. >> >> AP AAA Authentication only needs 'Management' checked to authenticate >> users >> >> So to answer your question yes you can AP AAA Authorize and Local EAP. >> >> **** >> >> On 30 June 2011 16:46, Victor Platov (viplatov) <[email protected]> >> wrote:**** >> >> Hi Leigh,**** >> >> **** >> >> This doen’t make sence for me cause local user database can be used for >> the following tasks:**** >> >> 1. Management user authentication: always local db is asked first, >> radius or tacacs second;**** >> >> 2. Network user authentication: there are two options**** >> >> a. Web auth: local db always asked first**** >> >> b. Eap auth: radius always asked first then if the radius is not >> online local db is used**** >> >> **** >> >> So from my opinion there is the only case when your correction can make >> sence is APs authorization…**** >> >> **** >> >> **** >> >> Actually my question was: Am I correct that we can not simultaneously >> enable APs AAA authorization and use local EAP on the same controller?*** >> * >> >> **** >> >> *From:* Leigh Jewell [mailto:[email protected]] >> *Sent:* Thursday, June 30, 2011 8:23 AM >> *To:* Victor Platov (viplatov) >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence**** >> >> **** >> >> Hi Victor,**** >> >> **** >> >> The first paragraph is talking about the local database and the second >> paragraph is talking about local EAP. The key difference here is the local >> database is checked even if the Radius server doesn't have an entry for the >> users. With Local-EAP, if the Radius server responds (regardless if the user >> exists or not) then it is *never* checked.**** >> >> **** >> >> Cheers,**** >> >> Leigh**** >> >> **** >> >> >> **** >> >> On 29 June 2011 23:15, Victor Platov (viplatov) <[email protected]> >> wrote:**** >> >> Hi team,**** >> >> **** >> >> 4.2 configuration guide says:**** >> >> **** >> >> “The *controller passes client information to the RADIUS authentication >> server first. If the client information does not match a RADIUS database >> entry, the local user database is polled. Clients located in this database >> are granted access to network services if the RADIUS authentication fails or >> does not exist.*” (page 5-15).**** >> >> **** >> >> But below on page 5-23 we can read different info: **** >> >> **** >> >> “*If any RADIUS servers are configured on the controller, the controller >> tries to authenticate the wireless clients using the RADIUS servers first. >> Local EAP is attempted only if no RADIUS servers are found, either because >> the RADIUS servers timed out or no RADIUS servers were configured**.*” >> (page 5-23)**** >> >> **** >> >> I’ve tried it and found out that the second sentence is more accurate: if >> Radius authentication returns Access-reject no other actions performed!** >> ** >> >> **** >> >> What does that mean? **** >> >> That means we can not simultaneously use Local EAP authentication for >> wireless clients and Authorize APs aganst AAA! For local EAP we should >> uncheck “network user” from RADIUS configuration but for APs authorization >> we should check it!**** >> >> **** >> >> **** >> >> **** >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** >> >> >> >> >> -- >> CCIE Blog - http://leigh-cciewireless.blogspot.com/**** >> >> >> >> >> -- >> CCIE Blog - http://leigh-cciewireless.blogspot.com/**** >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> > -- CCIE Blog - http://leigh-cciewireless.blogspot.com/
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
