Problem with CISCO WIRELESS CONTROLLER and RADIUS Authentication
Gustavo Vieira Oliveira
gustavov at sc.senai.br
Thu Jul 4 15:00:28 CEST 2013
Yeah, i'm not saying it's a problem with RADIUS.
I'm just asking trying to understand why it's happening and if there may
be any workaround for this.
Matthew, we have some remote places that we chose to authenticate
locally with Radius.
I'm guessing the configuration (radius-server vsa send) is need because
of this or am i wrong:
attr_rewrite getssid-bsn {
attribute = Called-Station-Id
searchin = packet
searchfor = ".................:BSN"
replacewith = "BSN"
ignore_case = yes
new_attribute = no
}
attr_rewrite getssid-COL {
attribute = Called-Station-Id
searchin = packet
searchfor = ".................:COL"
replacewith = "COL"
ignore_case = yes
new_attribute = no
}
attr_rewrite getssid-bsn-cisco {
attribute = Cisco-AVPair
searchin = packet
searchfor = "....=BSN"
replacewith = "BSN"
ignore_case = yes
new_attribute = no
}
attr_rewrite getssid-col-cisco {
attribute = Cisco-AVPair
searchin = packet
searchfor = "....=COL"
replacewith = "COL"
ignore_case = yes
new_attribute = no
}
We make this to identify the SSID which the user is trying to login to
make up the LDAP filter.
Can anyone explain if it's the reason why we need a VSA sent to the NAS
and if we're doing something wrong? Is there any other suggestion?
Sorry if i'm still asking something that may not be related to this forum.
Em 04/07/2013 09:29, Matthew Newton escreveu:
> Hi,
>
> This isn't a FreeRADIUS issue, and shouldn't really be on this
> list.
>
> However -
>
> On Thu, Jul 04, 2013 at 09:12:40AM -0300, Gustavo Vieira Oliveira wrote:
>> We have a Cisco Wireless Controller 5508 with Aironet 1041 APs.
> We have the same, authenticating against FreeRADIUS.
>
>> To make the AP authenticate with RADIUS we need to set the following
>> command manually in the AP:
>>
>> - radius-server vsa send
> That is odd, and I would guess that you have something not set up
> correctly on the controller (I assume your APs are all lightweight
> and correctly joined to the controller).
>
> It all works fine here with no manual configuration of the APs at
> all - they get all their config from the controller, as they
> should do. The APs don't do any RADIUS themselves - it's all
> handled from the controller. So I can't understand why they would
> need to know anything about RADIUS attributes.
>
>> The thing is, the APs can only authenticate if this command is
>> issued in the AP by cli and we need that the Wireless Controller can
>> pass this configuration to the APs, which it doesn't support. So,
>> anyone know why is it necessary and if there is another alternative
>> or workaround to make it work without it?
> I would check that your WLANs are correctly configured with the
> RADIUS servers in the controller. You shouldn't need to configure
> the APs like this.
>
> You're better off asking on another mailing list, though.
>
> Matthew
>
>
>
More information about the Freeradius-Users
mailing list