Great tip Jeff, thanks for sharing! I will try to remember it this way, this is not a big deal compared to the "16-hex-characters with 9 zeros" WLC ID to be used with DHCP option 82, or the RADIUS attribute used with autonomous AP management authentication!!!
Anyway, I have another question regarding the tools available during the lab. I know we have access to the online Cisco documentation. Can we use the search tool of the browser? I mean not the "Google"-like search, but only the browser search to look for specific words in a page. 2014-05-15 22:14 GMT+02:00 Jeff Rensink <[email protected]>: > You got it figured out... > > Administrative is usually easy enough to remember for read-write. I > remember read-only is NAS Prompt just because it's the next option below > Administrative. So just know that read-only is right below read-write. > That might be easier. > > Here's my silly way to remember Lobby= Callback Administrative > > Callback Administrative reminds me of an administrative assistant manning > the phones, and it's the administrative assistant that's handing out guest > user accounts. So they need Lobby access. > > Feel free to leverage my silly thought patterns if it helps. > > Regards, > > > > Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> > > CCIE # 24834 :: Wireless / R&S > > :: World-Class Cisco Certification Training > > Direct: +1.810.326.1444 > > :: Free Videos <http://www.youtube.com/ipexpertinc> > > :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> > > :: CCIE Blog <http://blog.ipexpert.com/> > :: Twitter <http://www.twitter.com/ipexpert> > > > On Thu, May 15, 2014 at 8:57 AM, Andre Aubet <[email protected]> wrote: > >> Ok, I found this in another section of the documentation: >> >> *Note *To create a read-only controller user on the RADIUS sever, you >> must set the service type to NAS prompt instead of Callback NAS prompt. If >> you set the service type to Callback NAS Prompt, the user authentication >> fails while setting it to NAS prompt gives the user read-only access to the >> controller. >> Also, the Callback Administrative service type gives the user the lobby >> ambassador privileges to the controller. >> >> and guess what, it worked! >> >> >> 2014-05-15 17:46 GMT+02:00 Andre Aubet <[email protected]>: >> >> Hi all, >>> >>> I'm trying to setup WLC authentication through RADIUS. >>> >>> The authentication works successfully for a read-write user (admin), but >>> I can't make it work for a read-only user... >>> >>> I can't find what is wrong in my configuration. >>> >>> From Cisco documentation, an authorization profile must be configured: >>> >>> Source: >>> http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html#wp1422107 >>> Specify read-only or read-write access to controllers through RADIUS >>> authentication, by setting the Service-Type attribute (006) to *Callback >>> NAS Prompt* for read-only access or to *Administrative* for read-write >>> privileges. If you do not set this attribute, the authentication process >>> completes successfully (without an authorization error on the controller), >>> but you might be prompted to authenticate again. >>> >>> >>> From the debug, I can't see what is the difference between the ro and rw >>> access: >>> >>> >>> - *RW Access = OK - Service-Type 6 = Administrative* >>> >>> *radiusTransportThread: May 15 17:30:35.293: 00:00:00:36:00:00 >>> *Access-Accept >>> received from RADIUS server* 10.35.122.29 for mobile 00:00:00:36:00:00 >>> receiveId = 0 >>> *radiusTransportThread: May 15 17:30:35.293: AuthorizationResponse: >>> 0x13c73d50 >>> *radiusTransportThread: May 15 17:30:35.293: >>> resultCode...................................0 >>> *radiusTransportThread: May 15 17:30:35.293: >>> protocolUsed.................................0x00000001 >>> *radiusTransportThread: May 15 17:30:35.293: Packet contains 3 AVPs: >>> *radiusTransportThread: May 15 17:30:35.293: AVP[01] >>> User-Name................................wlc-admin2 (10 bytes) >>> *radiusTransportThread: May 15 17:30:35.293: AVP[02] >>> *Service-Type.............................0x00000006 >>> (6) (4 bytes)* >>> *radiusTransportThread: May 15 17:30:35.293: AVP[03] >>> Class....................................CACS:CCIEW-ACS/188401509/4628 (29 >>> bytes) >>> *emWeb: May 15 17:30:35.294: *Authentication succeeded for wlc-admin2* >>> >>> >>> - *RO Access = NOK - Service-Type 9 = Callback NAS Prompt* >>> >>> *radiusTransportThread: May 15 17:29:19.185: 00:00:00:35:00:00 >>> *Access-Accept >>> received from RADIUS server* 10.35.122.29 for mobile 00:00:00:35:00:00 >>> receiveId = 0 >>> *radiusTransportThread: May 15 17:29:19.185: AuthorizationResponse: >>> 0x13c73d50 >>> *radiusTransportThread: May 15 17:29:19.185: >>> structureSize................................125 >>> *radiusTransportThread: May 15 17:29:19.185: >>> resultCode...................................0 >>> *radiusTransportThread: May 15 17:29:19.185: >>> protocolUsed.................................0x00000001 >>> *radiusTransportThread: May 15 17:29:19.185: >>> proxyState...................................00:00:00:35:00:00-00:00 >>> *radiusTransportThread: May 15 17:29:19.185: Packet contains 3 AVPs: >>> *radiusTransportThread: May 15 17:29:19.185: AVP[01] >>> User-Name................................wlc-exploit2 (12 bytes) >>> *radiusTransportThread: May 15 17:29:19.185: AVP[02] >>> *Service-Type.............................0x00000009 >>> (9) (4 bytes)* >>> *radiusTransportThread: May 15 17:29:19.185: AVP[03] >>> Class....................................CACS:CCIEW-ACS/188401509/4627 (29 >>> bytes) >>> *emWeb: May 15 17:29:19.186: *Authentication failed for wlc-exploit2, >>> Service Type: 9* >>> >>> >>> >>> >>> >> >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc >> > >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
