Checkrad and Cisco WLC

David Jimenez d.jimenez.d at
Tue May 17 03:00:06 CEST 2016

Thanks, those OIDs worked like a charm.

We don’t allow roaming, so the radius server will be only for one WLC with 30 APs, and it will deal with a total of 1,000 users in its database, approximately. We will give it a try with just checkrad and cldcClientTable and see how it works out. If it is too slow, we will develop a custom script.

In the meantime, I altered checkrad to ignore snmpget, because it seems incapable of properly converting the session-id from hexadecimal into dotted decimal, and left it with only snmpwalk working, using SNMPv3.

Thanks again.

> On may 14, 2016, at 6:05 PM, Matthew Newton <mcn4 at> wrote:
> On Fri, May 13, 2016 at 10:09:10PM -0500, David Jimenez wrote:
>> Using snmpwalk I can reach the Cisco WLC, with no problem, from
>> the machine hosting freeradius. And I know that I’m supposed to
>> edit the checkrad script to point to the correct OID, however...
>> I am sure the OIDs defined by default in the script, do not
>> exist in the Cisco WLC. So I have been searching in Cisco’s SNMP
>> Object Navigator
>> (,
>> but the amount of OIDs is just enormous and I’m not even sure
>> exactly what value I’m supposed to look for.
>> Anyone that could help me on how to proceed?
> I'm not using checkrad, but I've written a perl library for
> pulling data from Cisco WLCs, so I've got quite a collection of
> OIDs that can help...
> One complication is that they started off on the Airespace MIB
> (enterprise 14179), but have now started to move to the Cisco
> LWAPP MIB (enterprise 9). So there's a right mix of things you can
> read.
> For the usernames, try looking at . in
> the airespace-wireless-mib bsnMobileStationTable. You can also get
> them from . in the
> cisco-lwapp-dot11-client-mib cldcClientTable.
> Pulling those tables can take a while if you've got quite a lot of
> users joined, and the indexes aren't useful to do a direct lookup
> to see if a particular user is joined (they're the mobile station
> (wireless client) MAC address). And if you've got several WLCs
> like us then you probably have to check them all.
>> This is on a freeradius 3.0.11, on OpenBSD 5.9.
>> The controller is a Cisco WLC 2504 with firmware
> cldcClientTable username entry seems fine on this version (just
> checked against the same - 2504 Versions before that
> can be broken and not return any usernames, so you have to look in
> the Airespace table instead.
> You'll certainly need to update checkrad, and may have to write
> something else instead. You can read the direct username entry if
> you've got the Calling-Station-Id and the username, but you need
> to know which WLC to check. With multiple WLCs, a client that
> roams can have its entire Mobile Station entry moved to a
> different WLC. The WLCs *should* have told the RADIUS server
> about the roam with accounting Interim-Updates, but I wouldn't
> personally trust them that much.
> Hope that helps,
> Matthew
> (very narrowly avoiding a Cisco rant there)
> -- 
> Matthew Newton, Ph.D. <mcn4 at>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> For IT help contact helpdesk extn. 2253, <ithelp at>
> -
> List info/subscribe/unsubscribe? See

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3704 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list