Security

Reply
New Contributor
Posts: 4
Registered: ‎07-12-2016

CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

Hi,

 

I have a CPPM and Cisco WLC controller.

The idea is to use Cisco as wireless infraestructure and CPPM as RADIUS Auth. and Accou. Server for Guest and 802.1x with AD Users.

 

All the config for 802.1x with AD works just fine also with Local User DB on CPPM between Cisco WLC and CPPM. However when trying to use Guest Access with Captive Portal and Local Guest Users DB con CPPM is not working, Monitoring > Access Tracker or Accouting did not show any log input for this service.

 

When a guest user connect to the Guest SSID, user is redirected to the CPPM Captive Portal asking for username and password, when trying a valid CPPM guest user storage on local db, it shows a message telling me that the username or password are incorrect. Using a Policy Simulation with same Server Rules an Auten Method. Guest User works and show a log input on access tracker.

 

Does someone have any idea why CPPM do not process WLC Radius reques only for the Guest SSID?

MVP
Posts: 4,124
Registered: ‎07-20-2011

Re: CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

Are you using captive portal redirect on Mac failure ?

For vendor settings do you have Cisco in the guest page ?

Do you see any errors in the event viewer ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 4
Registered: ‎07-12-2016

Re: CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

Hi Victor Fabian,

 

Here are my answers:

 

Are you using captive portal redirect on Mac failure ?

 R: No, I'm not. WLC uses L2 Sec Open and L3 Sec web-policy>authentication

For vendor settings do you have Cisco in the guest page ?

 R: Yes, my guest test page is configured as Verdors Settins: Cisco and using the virtual IP address for WLC. Also the Pre-Authen-ACL has ACEs for DNS, ICMP, tcp/CPPM and tcp/WLC virtual ip address for redireccion.

Do you see any errors in the event viewer ?

 R: Yes, it shows me the following>

 

SourceRADIUS
LevelERROR
CategoryAuthentication
ActionUnknown
TimestampSep 13, 2016 20:09:27 CDT
Description
RADIUS authentication attempt from unknown NAD 10.100.1.2:32774
10.100.1.2 is not the NAD it is: 10.10.10.2 as configured on Devices.
New Contributor
Posts: 4
Registered: ‎07-12-2016

Re: CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

Hi Víctor,

The workaroud I made was add a new device using the virtual interface IP Address configured for guest users on WLC and the same RADIUS Shared Secret.

Now it is working well.
New Contributor
Posts: 4
Registered: ‎07-12-2016

Re: CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

[ Edited ]

This is why WLC was sending packets sourced from dynamic interfaces maped to an SSID.

 

Cisco Quote: 

Information About Per-WLAN RADIUS Source Support

 

The controller sources RADIUS traffic from the IP address of its management interface unless the configured RADIUS server exists on a VLAN accessible via one of the controller Dynamic interfaces. If a RADIUS server is reachable via acontroller Dynamic interface, RADIUS requests to this specific RADIUS server will be sourced from the controller via the corresponding Dynamic interface.

By default, RADIUS packets sourced from the controller will set the NAS-IP-Address attribute to that of the management interface's IP Address, regardless of the packet's source IP Address (Management or Dynamic, depending on topology).

When you enable per-WLAN RADIUS source support (Radius Server Overwrite interface) the NAS-IP-Address attribute is overwritten by the controller to reflect the sourced interface. Also, RADIUS attributes are modified accordingly to match the identity. This feature virtualizes the controller on the per-WLAN RADIUS traffic, where each WLAN can have a separate layer 3 identity. This feature is useful in deployments that integrate with ACS Network Access Restrictions and Network Access Profiles.

To filter WLANs, use the callStationID that is set by RFC 3580 to be in the APMAC:SSID format. You can also extend the filtering on the authentication server to be on a per-WLAN source interface by using the NAS-IP-Address attribute.

You can combine per-WLAN RADIUS source support with the normal RADIUS traffic source and some WLANs that use the management interface and others using the per-WLAN dynamic interface as the address source.

==========================

 

Since my dynamic interfaces IP addresses on WLC can reach CPPM RADIUS Server, that was the reason RADIUS packets were source this way. And needed to configure new device with dynamic  IP address on CPPM

 

Thank you very much Victor for your 'Event Viewer' hint did not cross my mind until you mentioned I am very grateful, regards.

Search Airheads
Showing results for 
Search instead for 
Did you mean: