Checkrad and Cisco WLC
Matthew Newton
mcn4 at leicester.ac.uk
Sun May 15 01:05:39 CEST 2016
On Fri, May 13, 2016 at 10:09:10PM -0500, David Jimenez wrote:
>
> Using snmpwalk I can reach the Cisco WLC, with no problem, from
> the machine hosting freeradius. And I know that I’m supposed to
> edit the checkrad script to point to the correct OID, however...
>
> I am sure the OIDs defined by default in the script, do not
> exist in the Cisco WLC. So I have been searching in Cisco’s SNMP
> Object Navigator
> (http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en),
> but the amount of OIDs is just enormous and I’m not even sure
> exactly what value I’m supposed to look for.
>
> Anyone that could help me on how to proceed?
I'm not using checkrad, but I've written a perl library for
pulling data from Cisco WLCs, so I've got quite a collection of
OIDs that can help...
One complication is that they started off on the Airespace MIB
(enterprise 14179), but have now started to move to the Cisco
LWAPP MIB (enterprise 9). So there's a right mix of things you can
read.
For the usernames, try looking at .1.3.6.1.4.1.14179.2.1.4.1.3 in
the airespace-wireless-mib bsnMobileStationTable. You can also get
them from .1.3.6.1.4.1.9.9.599.1.3.1.1.27 in the
cisco-lwapp-dot11-client-mib cldcClientTable.
Pulling those tables can take a while if you've got quite a lot of
users joined, and the indexes aren't useful to do a direct lookup
to see if a particular user is joined (they're the mobile station
(wireless client) MAC address). And if you've got several WLCs
like us then you probably have to check them all.
> This is on a freeradius 3.0.11, on OpenBSD 5.9.
> The controller is a Cisco WLC 2504 with firmware 8.0.133.0.
cldcClientTable username entry seems fine on this version (just
checked against the same - 2504 8.0.133.0). Versions before that
can be broken and not return any usernames, so you have to look in
the Airespace table instead.
You'll certainly need to update checkrad, and may have to write
something else instead. You can read the direct username entry if
you've got the Calling-Station-Id and the username, but you need
to know which WLC to check. With multiple WLCs, a client that
roams can have its entire Mobile Station entry moved to a
different WLC. The WLCs *should* have told the RADIUS server
about the roam with accounting Interim-Updates, but I wouldn't
personally trust them that much.
Hope that helps,
Matthew
(very narrowly avoiding a Cisco rant there)
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list