01-28-2008 11:06 AM - edited 02-21-2020 01:52 AM
I'm unable to authenticate the Guest Client in the RADIUS of NAC Guest Server.
The NAC is configured in the AAA Servers of the Guest SSID, in the WLC4402 and the controller as client in the NAC Guest Srv.
The Allow Override is Enabled.
NAC Guest Server » radius.log :
Thu Jan 17 01:10:17 2008 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Thu Jan 17 01:10:17 2008 : Info: rlm_sql (sql): Attempting to connect to postgres@localhost:/radius
Thu Jan 17 01:10:17 2008 : Info: Ready to process requests.
Thu Jan 17 01:12:08 2008 : Error: rlm_exec (radius-user-auth): External script failed
Thu Jan 17 01:18:49 2008 : Error: rlm_exec (radius-user-auth): External script failed
Has anyone experienced this issue?
Thanks!
02-01-2008 12:42 PM
When a guest authenticates against a RADIUS client the RADIUS client uses RADIUS Authentication to ask the Cisco NAC Guest Server whether the user authentication is valid. If the guest authentication is valid, the Cisco NAC Guest Server returns a message stating that the user is valid and the amount of time remaining before the user session expires. The RADIUS client must honor the session-timeout attribute to remove the guest when the guest account time expires. Following link may help you
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/10/g_radius.html
06-30-2008 06:34 AM
Have you solve this problem? I'm stuck with this problem too.
07-07-2008 01:41 PM
Hi -
What version of the NAC Guest server are you using?
I searched all TAC cases and have the following info to share with you based on your error message.
If it is 1.1.1, you might be running into this bug:
CSCsq86376
With the new locations feature in 1.1.1 of the guest server any customer that has the calling-station-id attribute on their controller set to MAC address will not pass any authentications.
The new locations feature expects the calling-station-id attribute to be set to the IP address.
thxs
peter
07-08-2008 10:16 PM
I'm using 1.1.0 and 1.1.1, I already set the calling-station-id attribute to IP address but still i got problem.
07-21-2008 11:37 PM
I had exactly the same problem.
When the script (its an obfuscated PHP script under /guest/utils) fails, it is because it had not been able to match the username and password.
After a little debugging, it seems that this is caused by the controller setting (Controller/General/Web RADIUS Authentication) which in my case was set to CHAP. After changing it to PAP, the script can then see the password and authentication works.
I hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide