https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757114#M10151 <HTML><HEAD></HEAD><BODY><P>I have Radius Authentication working. I even have Active Directory being used as the external database for clients. The problem is that a user that never has logged into a laptop(configure for AD) get as Domain not available if we try the via wireless for that users first login. I fully understad the issue which is the client have not been issued an IP because they have not been authenticated.</P><P></P><P>More than likely there is not a workaround for this scenerio other than login via wireless with the new AD user credentials. In effect caching the AD profile locally.</P><P></P><P>What I would like to address is because my users are Transient (nurses and doctors that share laptops) is how to lessen number of time for a wired loggin by caching the AD account in at the WLC. I may be off base to the function of this feature but its not very well documented (from what I have found)</P></BODY></HTML> Tue, 31 Jul 2007 20:33:41 GMT Mike Lydick 2007-07-31T20:33:41Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757112#M10149 <P>We are using PEAP with ACS/AD as the external Database. The issue or behavior that we are experiencing is that clients require a Cached AD Token for the user authenticate against for the first time. The Client does not get an IP until authenticated and therefore cannot contact the DC.</P><P></P><P>We have shared laptops an its not feasible to cache all AD profiles(Tokens) to the laptop. </P><P></P><P>Will the Radius Authentication Server - Credential Caching option help by caching authenticated client sessions to the WLC and allow user to authenticate against multiple laptops? Is the above behavior correct(cached Token required)? Is there another approach to authenticating shared resources with PEAP/Radius(ACS)/AD </P> Sat, 03 Jul 2021 21:23:47 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757112#M10149 Mike Lydick 2021-07-03T21:23:47Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757113#M10150 <HTML><HEAD></HEAD><BODY><P>In order to perform RADIUS authentication, for controller login and management, ensure that the Admin-auth-via-RADIUS flag is enabled on the controller.</P><P>This can be verified from the output of the show radius summary command. </P><P><A class="jive-link-custom" href="http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml" target="_blank">http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml</A></P></BODY></HTML> Tue, 31 Jul 2007 19:53:42 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757113#M10150 umedryk 2007-07-31T19:53:42Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757114#M10151 <HTML><HEAD></HEAD><BODY><P>I have Radius Authentication working. I even have Active Directory being used as the external database for clients. The problem is that a user that never has logged into a laptop(configure for AD) get as Domain not available if we try the via wireless for that users first login. I fully understad the issue which is the client have not been issued an IP because they have not been authenticated.</P><P></P><P>More than likely there is not a workaround for this scenerio other than login via wireless with the new AD user credentials. In effect caching the AD profile locally.</P><P></P><P>What I would like to address is because my users are Transient (nurses and doctors that share laptops) is how to lessen number of time for a wired loggin by caching the AD account in at the WLC. I may be off base to the function of this feature but its not very well documented (from what I have found)</P></BODY></HTML> Tue, 31 Jul 2007 20:33:41 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757114#M10151 Mike Lydick 2007-07-31T20:33:41Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757115#M10152 <HTML><HEAD></HEAD><BODY><P>I know what you are talking about. We use PEAP-MSCHAPv2 with machine authentication and it works great. Brand new user that has never logged on to the wireless computer can get authenticated.</P></BODY></HTML> Wed, 01 Aug 2007 16:31:55 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757115#M10152 hrios 2007-08-01T16:31:55Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757116#M10153 <HTML><HEAD></HEAD><BODY><P>Yeah I would imagine machine authentication would be a better approach but that require issuing a cert to the machine. We are trying keep the hands on time with the laptops to a minimum and not to add yet another server for wireless security. We are not running any CA other than the ACS (self-signed cert). Even with that we are not adding the cert to the client list. I guess I will hit TAC up on the radius cache functionality. Also reconsider the security method we are using.</P></BODY></HTML> Thu, 02 Aug 2007 23:50:38 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757116#M10153 Mike Lydick 2007-08-02T23:50:38Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757117#M10154 <HTML><HEAD></HEAD><BODY><P>PEAP requires server-side certificates only. No certificates on the client side</P></BODY></HTML> Thu, 02 Aug 2007 23:59:13 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757117#M10154 hrios 2007-08-02T23:59:13Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757118#M10155 <HTML><HEAD></HEAD><BODY><P>Machine authentication? Do you have a White-paper on that (how-to)?</P></BODY></HTML> Fri, 03 Aug 2007 00:01:16 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757118#M10155 Mike Lydick 2007-08-03T00:01:16Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757119#M10156 <HTML><HEAD></HEAD><BODY><P>Check these two documents:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml" target="_blank">http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml</A></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1008130" target="_blank">http://www.cisco.com/en/US/customer/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1008130</A></P></BODY></HTML> Fri, 03 Aug 2007 00:07:33 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757119#M10156 hrios 2007-08-03T00:07:33Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757120#M10157 <HTML><HEAD></HEAD><BODY><P>Both of these show using (client-side certificate validation)certificates. Did you choose not to validate on the clients or how did you address this part of the client config?</P><P></P><P>Btw thanks for your response.</P></BODY></HTML> Fri, 03 Aug 2007 00:15:30 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757120#M10157 Mike Lydick 2007-08-03T00:15:30Z https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757121#M10158 <HTML><HEAD></HEAD><BODY><P>Assuming your clients are Windows and/or Mac,the root CA certificates of many third-party CAs are already included in the OS. If your Radius server certificate is from a third-party CA that corresponds to an included root CA certificate, no additional wireless client configuration is required. </P></BODY></HTML> Fri, 03 Aug 2007 00:29:15 GMT https://community.cisco.com/t5/wireless/wlc-radius-credentials-caching/m-p/757121#M10158 hrios 2007-08-03T00:29:15Z