Hi all, I'm trying to setup WLC authentication through RADIUS.
The authentication works successfully for a read-write user (admin), but I can't make it work for a read-only user... I can't find what is wrong in my configuration. >From Cisco documentation, an authorization profile must be configured: Source: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html#wp1422107 Specify read-only or read-write access to controllers through RADIUS authentication, by setting the Service-Type attribute (006) to *Callback NAS Prompt* for read-only access or to *Administrative* for read-write privileges. If you do not set this attribute, the authentication process completes successfully (without an authorization error on the controller), but you might be prompted to authenticate again. >From the debug, I can't see what is the difference between the ro and rw access: - *RW Access = OK - Service-Type 6 = Administrative* *radiusTransportThread: May 15 17:30:35.293: 00:00:00:36:00:00 *Access-Accept received from RADIUS server* 10.35.122.29 for mobile 00:00:00:36:00:00 receiveId = 0 *radiusTransportThread: May 15 17:30:35.293: AuthorizationResponse: 0x13c73d50 *radiusTransportThread: May 15 17:30:35.293: resultCode...................................0 *radiusTransportThread: May 15 17:30:35.293: protocolUsed.................................0x00000001 *radiusTransportThread: May 15 17:30:35.293: Packet contains 3 AVPs: *radiusTransportThread: May 15 17:30:35.293: AVP[01] User-Name................................wlc-admin2 (10 bytes) *radiusTransportThread: May 15 17:30:35.293: AVP[02] *Service-Type.............................0x00000006 (6) (4 bytes)* *radiusTransportThread: May 15 17:30:35.293: AVP[03] Class....................................CACS:CCIEW-ACS/188401509/4628 (29 bytes) *emWeb: May 15 17:30:35.294: *Authentication succeeded for wlc-admin2* - *RO Access = NOK - Service-Type 9 = Callback NAS Prompt* *radiusTransportThread: May 15 17:29:19.185: 00:00:00:35:00:00 *Access-Accept received from RADIUS server* 10.35.122.29 for mobile 00:00:00:35:00:00 receiveId = 0 *radiusTransportThread: May 15 17:29:19.185: AuthorizationResponse: 0x13c73d50 *radiusTransportThread: May 15 17:29:19.185: structureSize................................125 *radiusTransportThread: May 15 17:29:19.185: resultCode...................................0 *radiusTransportThread: May 15 17:29:19.185: protocolUsed.................................0x00000001 *radiusTransportThread: May 15 17:29:19.185: proxyState...................................00:00:00:35:00:00-00:00 *radiusTransportThread: May 15 17:29:19.185: Packet contains 3 AVPs: *radiusTransportThread: May 15 17:29:19.185: AVP[01] User-Name................................wlc-exploit2 (12 bytes) *radiusTransportThread: May 15 17:29:19.185: AVP[02] *Service-Type.............................0x00000009 (9) (4 bytes)* *radiusTransportThread: May 15 17:29:19.185: AVP[03] Class....................................CACS:CCIEW-ACS/188401509/4627 (29 bytes) *emWeb: May 15 17:29:19.186: *Authentication failed for wlc-exploit2, Service Type: 9*
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
