cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
714
Views
0
Helpful
2
Replies
c.s Beginner
Beginner

WLC - radius down, possible to have auth none as secondary?

Lets say i have a 5508 wlc and have configured a wlan with web-auth and radius authentication

The one and only configured radius server goes offline. In the event this should happen, is it possible to allow clients to connect anyway? auth none as secondary?

Appreciate any thoughts

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

WLC - radius down, possible to have auth none as secondary?

Chris,

No, unfortunately not.  Once you select 802.1X (Radius) you are bound to that security type. The  controller will not allow NON EAP traffic on that WLAN unless it gets a EAP SUCCESS frame. The EAP success frame from the radius is sent to the WLC and it tell the WLC to open the controlled port to allow traffic to pass.

Top of my head alternatives:

You might consider another SSID with the same name with a OPEN security. Manually enable after failure of radius server

.

Create the user accounts on the WLC and allow the WLC to act as your radius server.If you have a large environment may not be realistic.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Highlighted
Cisco Employee

Re: WLC - radius down, possible to have auth none as secondary?

#webauth and radius uses pap/chap/md-5, however conditional and splash page web redirect uses dot1x.

#You can fallback between Local/Radius/LDAP for webauth based on priority order for web-auth user

In your case you can set webauth priority as Radius, Local.

View solution in original post

2 REPLIES 2
Highlighted

WLC - radius down, possible to have auth none as secondary?

Chris,

No, unfortunately not.  Once you select 802.1X (Radius) you are bound to that security type. The  controller will not allow NON EAP traffic on that WLAN unless it gets a EAP SUCCESS frame. The EAP success frame from the radius is sent to the WLC and it tell the WLC to open the controlled port to allow traffic to pass.

Top of my head alternatives:

You might consider another SSID with the same name with a OPEN security. Manually enable after failure of radius server

.

Create the user accounts on the WLC and allow the WLC to act as your radius server.If you have a large environment may not be realistic.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Highlighted
Cisco Employee

Re: WLC - radius down, possible to have auth none as secondary?

#webauth and radius uses pap/chap/md-5, however conditional and splash page web redirect uses dot1x.

#You can fallback between Local/Radius/LDAP for webauth based on priority order for web-auth user

In your case you can set webauth priority as Radius, Local.

View solution in original post

CreatePlease to create content
Content for Community-Ad