I thought I remember being able to do that. But some of my students put doubts in my head this week.
Anyone that has taken the lab recently know? Regards, Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> CCIE # 24834 :: Wireless / R&S :: World-Class Cisco Certification Training Direct: +1.810.326.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <http://www.twitter.com/ipexpert> On Thu, May 15, 2014 at 2:10 PM, Andre Aubet <[email protected]> wrote: > Great tip Jeff, thanks for sharing! I will try to remember it this way, > this is not a big deal compared to the "16-hex-characters with 9 zeros" WLC > ID to be used with DHCP option 82, or the RADIUS attribute used with > autonomous AP management authentication!!! > > Anyway, I have another question regarding the tools available during the > lab. I know we have access to the online Cisco documentation. Can we use > the search tool of the browser? I mean not the "Google"-like search, but > only the browser search to look for specific words in a page. > > > 2014-05-15 22:14 GMT+02:00 Jeff Rensink <[email protected]>: > >> You got it figured out... >> >> Administrative is usually easy enough to remember for read-write. I >> remember read-only is NAS Prompt just because it's the next option below >> Administrative. So just know that read-only is right below read-write. >> That might be easier. >> >> Here's my silly way to remember Lobby= Callback Administrative >> >> Callback Administrative reminds me of an administrative assistant manning >> the phones, and it's the administrative assistant that's handing out guest >> user accounts. So they need Lobby access. >> >> Feel free to leverage my silly thought patterns if it helps. >> >> Regards, >> >> >> >> Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> >> >> CCIE # 24834 :: Wireless / R&S >> >> :: World-Class Cisco Certification Training >> >> Direct: +1.810.326.1444 >> >> :: Free Videos <http://www.youtube.com/ipexpertinc> >> >> :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> >> >> :: CCIE Blog <http://blog.ipexpert.com/> >> :: Twitter <http://www.twitter.com/ipexpert> >> >> >> On Thu, May 15, 2014 at 8:57 AM, Andre Aubet <[email protected]> wrote: >> >>> Ok, I found this in another section of the documentation: >>> >>> *Note *To create a read-only controller user on the RADIUS sever, you >>> must set the service type to NAS prompt instead of Callback NAS prompt. If >>> you set the service type to Callback NAS Prompt, the user authentication >>> fails while setting it to NAS prompt gives the user read-only access to the >>> controller. >>> Also, the Callback Administrative service type gives the user the lobby >>> ambassador privileges to the controller. >>> >>> and guess what, it worked! >>> >>> >>> 2014-05-15 17:46 GMT+02:00 Andre Aubet <[email protected]>: >>> >>> Hi all, >>>> >>>> I'm trying to setup WLC authentication through RADIUS. >>>> >>>> The authentication works successfully for a read-write user (admin), >>>> but I can't make it work for a read-only user... >>>> >>>> I can't find what is wrong in my configuration. >>>> >>>> From Cisco documentation, an authorization profile must be configured: >>>> >>>> Source: >>>> http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html#wp1422107 >>>> Specify read-only or read-write access to controllers through RADIUS >>>> authentication, by setting the Service-Type attribute (006) to *Callback >>>> NAS Prompt* for read-only access or to *Administrative* for read-write >>>> privileges. If you do not set this attribute, the authentication process >>>> completes successfully (without an authorization error on the controller), >>>> but you might be prompted to authenticate again. >>>> >>>> >>>> From the debug, I can't see what is the difference between the ro and >>>> rw access: >>>> >>>> >>>> - *RW Access = OK - Service-Type 6 = Administrative* >>>> >>>> *radiusTransportThread: May 15 17:30:35.293: 00:00:00:36:00:00 >>>> *Access-Accept >>>> received from RADIUS server* 10.35.122.29 for mobile 00:00:00:36:00:00 >>>> receiveId = 0 >>>> *radiusTransportThread: May 15 17:30:35.293: AuthorizationResponse: >>>> 0x13c73d50 >>>> *radiusTransportThread: May 15 17:30:35.293: >>>> resultCode...................................0 >>>> *radiusTransportThread: May 15 17:30:35.293: >>>> protocolUsed.................................0x00000001 >>>> *radiusTransportThread: May 15 17:30:35.293: Packet contains 3 AVPs: >>>> *radiusTransportThread: May 15 17:30:35.293: AVP[01] >>>> User-Name................................wlc-admin2 (10 bytes) >>>> *radiusTransportThread: May 15 17:30:35.293: AVP[02] >>>> *Service-Type.............................0x00000006 >>>> (6) (4 bytes)* >>>> *radiusTransportThread: May 15 17:30:35.293: AVP[03] >>>> Class....................................CACS:CCIEW-ACS/188401509/4628 (29 >>>> bytes) >>>> *emWeb: May 15 17:30:35.294: *Authentication succeeded for wlc-admin2* >>>> >>>> >>>> - *RO Access = NOK - Service-Type 9 = Callback NAS Prompt* >>>> >>>> *radiusTransportThread: May 15 17:29:19.185: 00:00:00:35:00:00 >>>> *Access-Accept >>>> received from RADIUS server* 10.35.122.29 for mobile 00:00:00:35:00:00 >>>> receiveId = 0 >>>> *radiusTransportThread: May 15 17:29:19.185: AuthorizationResponse: >>>> 0x13c73d50 >>>> *radiusTransportThread: May 15 17:29:19.185: >>>> structureSize................................125 >>>> *radiusTransportThread: May 15 17:29:19.185: >>>> resultCode...................................0 >>>> *radiusTransportThread: May 15 17:29:19.185: >>>> protocolUsed.................................0x00000001 >>>> *radiusTransportThread: May 15 17:29:19.185: >>>> proxyState...................................00:00:00:35:00:00-00:00 >>>> *radiusTransportThread: May 15 17:29:19.185: Packet contains 3 AVPs: >>>> *radiusTransportThread: May 15 17:29:19.185: AVP[01] >>>> User-Name................................wlc-exploit2 (12 bytes) >>>> *radiusTransportThread: May 15 17:29:19.185: AVP[02] >>>> *Service-Type.............................0x00000009 >>>> (9) (4 bytes)* >>>> *radiusTransportThread: May 15 17:29:19.185: AVP[03] >>>> Class....................................CACS:CCIEW-ACS/188401509/4627 (29 >>>> bytes) >>>> *emWeb: May 15 17:29:19.186: *Authentication failed for wlc-exploit2, >>>> Service Type: 9* >>>> >>>> >>>> >>>> >>>> >>> >>> _______________________________________________ >>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>> >>> iPexpert on YouTube: www.youtube.com/ipexpertinc >>> >> >> >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
