Checkrad and Cisco WLC

[David Jimenez]

Thanks, those OIDs worked like a charm.

We don’t allow roaming, so the radius server will be only for one WLC with 30 APs, and it will deal with a total of 1,000 users in its database, approximately. We will give it a try with just checkrad and cldcClientTable and see how it works out. If it is too slow, we will develop a custom script.

In the meantime, I altered checkrad to ignore snmpget, because it seems incapable of properly converting the session-id from hexadecimal into dotted decimal, and left it with only snmpwalk working, using SNMPv3.

Thanks again.

> On may 14, 2016, at 6:05 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> 
> On Fri, May 13, 2016 at 10:09:10PM -0500, David Jimenez wrote:
>> 
>> Using snmpwalk I can reach the Cisco WLC, with no problem, from
>> the machine hosting freeradius. And I know that I’m supposed to
>> edit the checkrad script to point to the correct OID, however...
>> 
>> I am sure the OIDs defined by default in the script, do not
>> exist in the Cisco WLC. So I have been searching in Cisco’s SNMP
>> Object Navigator
>> (http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en),
>> but the amount of OIDs is just enormous and I’m not even sure
>> exactly what value I’m supposed to look for.
>> 
>> Anyone that could help me on how to proceed?
> 
> I'm not using checkrad, but I've written a perl library for
> pulling data from Cisco WLCs, so I've got quite a collection of
> OIDs that can help...
> 
> One complication is that they started off on the Airespace MIB
> (enterprise 14179), but have now started to move to the Cisco
> LWAPP MIB (enterprise 9). So there's a right mix of things you can
> read.
> 
> For the usernames, try looking at .1.3.6.1.4.1.14179.2.1.4.1.3 in
> the airespace-wireless-mib bsnMobileStationTable. You can also get
> them from .1.3.6.1.4.1.9.9.599.1.3.1.1.27 in the
> cisco-lwapp-dot11-client-mib cldcClientTable.
> 
> Pulling those tables can take a while if you've got quite a lot of
> users joined, and the indexes aren't useful to do a direct lookup
> to see if a particular user is joined (they're the mobile station
> (wireless client) MAC address). And if you've got several WLCs
> like us then you probably have to check them all.
> 
>> This is on a freeradius 3.0.11, on OpenBSD 5.9.
>> The controller is a Cisco WLC 2504 with firmware 8.0.133.0.
> 
> cldcClientTable username entry seems fine on this version (just
> checked against the same - 2504 8.0.133.0). Versions before that
> can be broken and not return any usernames, so you have to look in
> the Airespace table instead.
> 
> You'll certainly need to update checkrad, and may have to write
> something else instead. You can read the direct username entry if
> you've got the Calling-Station-Id and the username, but you need
> to know which WLC to check. With multiple WLCs, a client that
> roams can have its entire Mobile Station entry moved to a
> different WLC. The WLCs *should* have told the RADIUS server
> about the roam with accounting Interim-Updates, but I wouldn't
> personally trust them that much.
> 
> Hope that helps,
> 
> Matthew
> (very narrowly avoiding a Cisco rant there)
> 
> -- 
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
> 
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3704 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160516/23a30da6/attachment-0001.bin>