Great tip Jeff, thanks for sharing! I will try to remember it this way,
this is not a big deal compared to the "16-hex-characters with 9 zeros" WLC
ID to be used with DHCP option 82, or the RADIUS attribute used with
autonomous AP management authentication!!!

Anyway, I have another question regarding the tools available during the
lab. I know we have access to the online Cisco documentation. Can we use
the search tool of the browser? I mean not the "Google"-like search, but
only the browser search to look for specific words in a page.


2014-05-15 22:14 GMT+02:00 Jeff Rensink <[email protected]>:

> You got it figured out...
>
> Administrative is usually easy enough to remember for read-write.  I
> remember read-only is NAS Prompt just because it's the next option below
> Administrative.  So just know that read-only is right below read-write.
>  That might be easier.
>
> Here's my silly way to remember Lobby= Callback Administrative
>
> Callback Administrative reminds me of an administrative assistant manning
> the phones, and it's the administrative assistant that's handing out guest
> user accounts.  So they need Lobby access.
>
> Feel free to leverage my silly thought patterns if it helps.
>
> Regards,
>
>
>
> Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/>
>
> CCIE # 24834 :: Wireless / R&S
>
> :: World-Class Cisco Certification Training
>
> Direct: +1.810.326.1444
>
> :: Free Videos <http://www.youtube.com/ipexpertinc>
>
> :: Free Training / Product Offerings <http://www.facebook.com/ipexpert>
>
> :: CCIE Blog <http://blog.ipexpert.com/>
> :: Twitter <http://www.twitter.com/ipexpert>
>
>
> On Thu, May 15, 2014 at 8:57 AM, Andre Aubet <[email protected]> wrote:
>
>> Ok, I found this in another section of the documentation:
>>
>> *Note *To create a read-only controller user on the RADIUS sever, you
>> must set the service type to NAS prompt instead of Callback NAS prompt. If
>> you set the service type to Callback NAS Prompt, the user authentication
>> fails while setting it to NAS prompt gives the user read-only access to the
>> controller.
>> Also, the Callback Administrative service type gives the user the lobby
>> ambassador privileges to the controller.
>>
>> and guess what, it worked!
>>
>>
>> 2014-05-15 17:46 GMT+02:00 Andre Aubet <[email protected]>:
>>
>> Hi all,
>>>
>>> I'm trying to setup WLC authentication through RADIUS.
>>>
>>> The authentication works successfully for a read-write user (admin), but
>>> I can't make it work for a read-only user...
>>>
>>> I can't find what is wrong in my configuration.
>>>
>>> From Cisco documentation, an authorization profile must be configured:
>>>
>>> Source:
>>> http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html#wp1422107
>>> Specify read-only or read-write access to controllers through RADIUS
>>> authentication, by setting the Service-Type attribute (006) to *Callback
>>> NAS Prompt* for read-only access or to *Administrative* for read-write
>>> privileges. If you do not set this attribute, the authentication process
>>> completes successfully (without an authorization error on the controller),
>>> but you might be prompted to authenticate again.
>>>
>>>
>>> From the debug, I can't see what is the difference between the ro and rw
>>> access:
>>>
>>>
>>>    - *RW Access = OK - Service-Type 6 = Administrative*
>>>
>>> *radiusTransportThread: May 15 17:30:35.293: 00:00:00:36:00:00 
>>> *Access-Accept
>>> received from RADIUS server* 10.35.122.29 for mobile 00:00:00:36:00:00
>>> receiveId = 0
>>> *radiusTransportThread: May 15 17:30:35.293: AuthorizationResponse:
>>> 0x13c73d50
>>> *radiusTransportThread: May 15 17:30:35.293:
>>>  resultCode...................................0
>>> *radiusTransportThread: May 15 17:30:35.293:
>>>  protocolUsed.................................0x00000001
>>> *radiusTransportThread: May 15 17:30:35.293:    Packet contains 3 AVPs:
>>> *radiusTransportThread: May 15 17:30:35.293:        AVP[01]
>>> User-Name................................wlc-admin2 (10 bytes)
>>> *radiusTransportThread: May 15 17:30:35.293:        AVP[02] 
>>> *Service-Type.............................0x00000006
>>> (6) (4 bytes)*
>>> *radiusTransportThread: May 15 17:30:35.293:        AVP[03]
>>> Class....................................CACS:CCIEW-ACS/188401509/4628 (29
>>> bytes)
>>> *emWeb: May 15 17:30:35.294: *Authentication succeeded for wlc-admin2*
>>>
>>>
>>>    - *RO Access = NOK - Service-Type 9 = Callback NAS Prompt*
>>>
>>> *radiusTransportThread: May 15 17:29:19.185: 00:00:00:35:00:00 
>>> *Access-Accept
>>> received from RADIUS server* 10.35.122.29 for mobile 00:00:00:35:00:00
>>> receiveId = 0
>>> *radiusTransportThread: May 15 17:29:19.185: AuthorizationResponse:
>>> 0x13c73d50
>>> *radiusTransportThread: May 15 17:29:19.185:
>>>  structureSize................................125
>>> *radiusTransportThread: May 15 17:29:19.185:
>>>  resultCode...................................0
>>> *radiusTransportThread: May 15 17:29:19.185:
>>>  protocolUsed.................................0x00000001
>>> *radiusTransportThread: May 15 17:29:19.185:
>>>  proxyState...................................00:00:00:35:00:00-00:00
>>> *radiusTransportThread: May 15 17:29:19.185:    Packet contains 3 AVPs:
>>> *radiusTransportThread: May 15 17:29:19.185:        AVP[01]
>>> User-Name................................wlc-exploit2 (12 bytes)
>>> *radiusTransportThread: May 15 17:29:19.185:        AVP[02] 
>>> *Service-Type.............................0x00000009
>>> (9) (4 bytes)*
>>> *radiusTransportThread: May 15 17:29:19.185:        AVP[03]
>>> Class....................................CACS:CCIEW-ACS/188401509/4627 (29
>>> bytes)
>>> *emWeb: May 15 17:29:19.186: *Authentication failed for wlc-exploit2,
>>> Service Type: 9*
>>>
>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
>>
>> iPexpert on YouTube: www.youtube.com/ipexpertinc
>>
>
>
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: www.youtube.com/ipexpertinc

Reply via email to