Your understanding is correct. Local EAP was designed to be a fallback system, not a primary authentication system. So, if you need to do both Local EAP and AP Authorization, you would need to use the local AP Authorization list on the WLC.
Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] From: Stalder Dominic [mailto:[email protected]] Sent: Thursday, August 18, 2011 5:03 AM To: [email protected]; Jason Boyers Subject: Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence Hi Jason I would like to come back on this thread. If I want to have LAP's authenticated against an external RADIUS (ex. ACS), as far as I made the experiance, I have to enable "Network User" and not as Leigh said "Management", is that correct? What if I have to do local EAP for a WLAN and LAP AAA to an external RADIUS server, then I would need to enable "Network User" for the configured RADIUS server and then I am not able to authenticate the WLAN users via local EAP? Any feedback on that? Best regards Dominic _____ Von: Jason Boyers <[email protected]> Datum: Fri, 1 Jul 2011 09:45:45 -0400 An: "Victor Platov (viplatov)" <[email protected]> Cc: <[email protected]> Betreff: Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence Victor is correct if you are using an external RADIUS server for AP Authorization. In that case, the only way that the WLC knows which RADIUS server to use is to start with the first one that has "Network User" checked. Once that box is checked, WLANs will use it after any authentication servers that are specifically listed under the "AAA Servers" tab. In that case, Local EAP will only be used as it was originally intended - if all external RADIUS servers are unavailable. And then, it will check after 5 minutes (by default) to see if any are available again. If you are doing AP Authorization using only the local DB, then this is not an issue. If you use both the local and external RADIUS, local is checked first and then it goes to external, as Victor said. Also, the management user settings do not in any way impact this. Last, you can either use RADIUS or TACACS+ for management of a WLC - not both at the same time. Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: [email protected] On Fri, Jul 1, 2011 at 3:23 AM, Victor Platov (viplatov) <[email protected]> wrote: That's not true. For AP AAA Authentication you have to check network user. From: Leigh Jewell [mailto:[email protected]] Sent: Friday, July 01, 2011 9:17 AM To: Victor Platov (viplatov) Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence If you un-check 'Network User' on the radius server you can authenticate with local-eap. AP AAA Authentication only needs 'Management' checked to authenticate users So to answer your question yes you can AP AAA Authorize and Local EAP. On 30 June 2011 16:46, Victor Platov (viplatov) <[email protected]> wrote: Hi Leigh, This doen't make sence for me cause local user database can be used for the following tasks: 1. Management user authentication: always local db is asked first, radius or tacacs second; 2. Network user authentication: there are two options a. Web auth: local db always asked first b. Eap auth: radius always asked first then if the radius is not online local db is used So from my opinion there is the only case when your correction can make sence is APs authorization. Actually my question was: Am I correct that we can not simultaneously enable APs AAA authorization and use local EAP on the same controller? From: Leigh Jewell [mailto:[email protected]] Sent: Thursday, June 30, 2011 8:23 AM To: Victor Platov (viplatov) Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence Hi Victor, The first paragraph is talking about the local database and the second paragraph is talking about local EAP. The key difference here is the local database is checked even if the Radius server doesn't have an entry for the users. With Local-EAP, if the Radius server responds (regardless if the user exists or not) then it is never checked. Cheers, Leigh On 29 June 2011 23:15, Victor Platov (viplatov) <[email protected]> wrote: Hi team, 4.2 configuration guide says: "The controller passes client information to the RADIUS authentication server first. If the client information does not match a RADIUS database entry, the local user database is polled. Clients located in this database are granted access to network services if the RADIUS authentication fails or does not exist." (page 5-15). But below on page 5-23 we can read different info: "If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured." (page 5-23) I've tried it and found out that the second sentence is more accurate: if Radius authentication returns Access-reject no other actions performed! What does that mean? That means we can not simultaneously use Local EAP authentication for wireless clients and Authorize APs aganst AAA! For local EAP we should uncheck "network user" from RADIUS configuration but for APs authorization we should check it! _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com <http://www.platinumplacement.com/> -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com <http://www.PlatinumPlacement.com> _____ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
