Ok, I found this in another section of the documentation: *Note *To create a read-only controller user on the RADIUS sever, you must set the service type to NAS prompt instead of Callback NAS prompt. If you set the service type to Callback NAS Prompt, the user authentication fails while setting it to NAS prompt gives the user read-only access to the controller. Also, the Callback Administrative service type gives the user the lobby ambassador privileges to the controller.
and guess what, it worked! 2014-05-15 17:46 GMT+02:00 Andre Aubet <[email protected]>: > Hi all, > > I'm trying to setup WLC authentication through RADIUS. > > The authentication works successfully for a read-write user (admin), but I > can't make it work for a read-only user... > > I can't find what is wrong in my configuration. > > From Cisco documentation, an authorization profile must be configured: > > Source: > http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html#wp1422107 > Specify read-only or read-write access to controllers through RADIUS > authentication, by setting the Service-Type attribute (006) to *Callback > NAS Prompt* for read-only access or to *Administrative* for read-write > privileges. If you do not set this attribute, the authentication process > completes successfully (without an authorization error on the controller), > but you might be prompted to authenticate again. > > > From the debug, I can't see what is the difference between the ro and rw > access: > > > - *RW Access = OK - Service-Type 6 = Administrative* > > *radiusTransportThread: May 15 17:30:35.293: 00:00:00:36:00:00 *Access-Accept > received from RADIUS server* 10.35.122.29 for mobile 00:00:00:36:00:00 > receiveId = 0 > *radiusTransportThread: May 15 17:30:35.293: AuthorizationResponse: > 0x13c73d50 > *radiusTransportThread: May 15 17:30:35.293: > resultCode...................................0 > *radiusTransportThread: May 15 17:30:35.293: > protocolUsed.................................0x00000001 > *radiusTransportThread: May 15 17:30:35.293: Packet contains 3 AVPs: > *radiusTransportThread: May 15 17:30:35.293: AVP[01] > User-Name................................wlc-admin2 (10 bytes) > *radiusTransportThread: May 15 17:30:35.293: AVP[02] > *Service-Type.............................0x00000006 > (6) (4 bytes)* > *radiusTransportThread: May 15 17:30:35.293: AVP[03] > Class....................................CACS:CCIEW-ACS/188401509/4628 (29 > bytes) > *emWeb: May 15 17:30:35.294: *Authentication succeeded for wlc-admin2* > > > - *RO Access = NOK - Service-Type 9 = Callback NAS Prompt* > > *radiusTransportThread: May 15 17:29:19.185: 00:00:00:35:00:00 *Access-Accept > received from RADIUS server* 10.35.122.29 for mobile 00:00:00:35:00:00 > receiveId = 0 > *radiusTransportThread: May 15 17:29:19.185: AuthorizationResponse: > 0x13c73d50 > *radiusTransportThread: May 15 17:29:19.185: > structureSize................................125 > *radiusTransportThread: May 15 17:29:19.185: > resultCode...................................0 > *radiusTransportThread: May 15 17:29:19.185: > protocolUsed.................................0x00000001 > *radiusTransportThread: May 15 17:29:19.185: > proxyState...................................00:00:00:35:00:00-00:00 > *radiusTransportThread: May 15 17:29:19.185: Packet contains 3 AVPs: > *radiusTransportThread: May 15 17:29:19.185: AVP[01] > User-Name................................wlc-exploit2 (12 bytes) > *radiusTransportThread: May 15 17:29:19.185: AVP[02] > *Service-Type.............................0x00000009 > (9) (4 bytes)* > *radiusTransportThread: May 15 17:29:19.185: AVP[03] > Class....................................CACS:CCIEW-ACS/188401509/4627 (29 > bytes) > *emWeb: May 15 17:29:19.186: *Authentication failed for wlc-exploit2, > Service Type: 9* > > > > >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
