Introduction
In this document Cisco TAC engineer " Samson Aloor " has explained about issue when "Wireless users authenticated by Radius server are also able to do MGMT authentication to WLC with their AD credentials".
Problem Subcategory
5500 Series Wireless LAN Controller (AIR-CT5508)
Problem Type
Configuration Assistance
Hardware
Cisco 5500 Series Wireless LAN Controller - AIR-CT5508-K9
Software Version
7.4.110.0
Problem Details
User installed new 5508 WLC into network and only local admin account is setup. TACACS server is not configured but user found the WLC is able to access by any valid domain account.
Problem Description
Wireless/wired users were also able to login to the WLC as a mgmt. whereas user has created just a single local admin account.
Resolution
It was found that the RADIUS authentication server was also configured for doing the management authentication.
If we configure a RADIUS authentication serve, the “Management” check box is enabled by “default” for management authentication. If this feature is enabled, this entry is considered as the RADIUS authentication server for management users, and authentication requests go to the RADIUS server.
We have also verified by uncheck the option to disable “mgmt. auth” on the Radius server.
Troubleshooting
debug aaa events enable command output with Service-Type attribute is set to Administrative on the ACS.
(Cisco Controller)>debug aaa events enable
Mon Aug 13 20:17:02 2011: AuthenticationRequest: 0xa449f1c
Mon Aug 13 20:17:02 2011: Callback.....................................0x8250c40
Mon Aug 13 20:17:02 2011: protocolType.................................0x00020001
Mon Aug 13 20:17:02 2011: proxyState.......................1D:00:00:00:00:00-00:00
Mon Aug 13 20:17:02 2011: Packet contains 5 AVPs (not shown)
Mon Aug 13 20:17:02 2011: 1d:00:00:00:00:00 Successful transmission of
Authentication Packet (id 11) to 172.16.1.1:1812, proxy state
1d:00:00:00:00:00-00:00
Mon Aug 13 20:17:02 2011: ****Enter processIncomingMessages: response code=2
Mon Aug 13 20:17:02 2011: ****Enter processRadiusResponse: response code=2
Mon Aug 13 20:17:02 2011: 1d:00:00:00:00:00 Access-Accept received
from RADIUS server 172.16.1.1 for mobile 1d:00:00:00:00:00 receiveId = 0
Mon Aug 13 20:17:02 2011: AuthorizationResponse: 0x9802520
Mon Aug 13 20:17:02 2011: structureSize................................100
Mon Aug 13 20:17:02 2011: resultCode...................................0
Mon Aug 13 20:17:02 2011: protocolUsed.................................0x00000001
Mon Aug 13 20:17:02 2011: proxyState.......................1D:00:00:00:00:00-00:00
Mon Aug 13 20:17:02 2011: Packet contains 2 AVPs:
Mon Aug 13 20:17:02 2011: AVP[01] Service-Type...........0x00000006 (6) (4 bytes)
Mon Aug 13 20:17:02 2011: AVP[02] Class.........
CISCOACS:000d1b9f/ac100128/acsserver (36 bytes)
The Service-Type attribute is passed onto the WLC.
More Information
RADIUS Server Authentication of Management Users on Wireless LAN Controller (WLC) Configuration Example