I'm currently looking at implementing a Guest solution utilising AD accounts for authentication.
The current idea for the implementation is as follows, Guests connect through to the Anchor controller via the configured SSID, configuration on the anchor WLC calls out to use an ACS server configured under Radius - Authentication.
This ACS device, which is a member of our AD domain, will then be able to supply the relevant user credentials when a client inputs their details within the web authentication page.
Firstly, is this even possible, from the documentation I've seen on Cisco.com it appears to be, though most documentation appears to call out creating local accounts on the ACS, rather than using Windows AD accounts via the configured Windows external database. Secondly, if it is possible, I'm assuming it's very much a scenario of, a user has an account they'll be granted access, and if a user doesn't have an account then they'll be denied access. If we wanted to actually control connectivity through Group membership, then we'd need to look at using LDAP as the authentiation mechanism from the WLC?
If you want to use ACS you can... the reason you would want to use local accounts in ACS is because you don't want to create guest accounts in AD. SO what you have to do is create local guest accounts in ACS and then you can crate rules in ACS either permitting or rejecting users.
Thanks again, Scott.
It's slightly strange reasoning, but we do actually want to use the accounts within AD, they'll likely be connections running into the 100s, so creating the accounts locally isn't something we're looking at doing.
You can do that too... ACS can authenticate guest, just creat a guest group in AD and point to that.
Sent from my iPhone
the ACS will just send the auth request to the configured backed server so long as the credentials are valid the server sends a message to the ACS then ACS sends the accept back to the WLC. Works just like going to the local db on the WLC or the db in ACS.
Most companies don't want to bloat e AD with guest credentials, so they use ACS or the local db on the WLC, with the lobby admin creating the account. So long as you push the WLC db to 2048 it should hold the guest users fine, the re,I've the, after the expire.
Sent from Cisco Technical Support iPad App
I made the changes to the anchor controller last night, applying our ACS as a Radius authentication server. Now, when I attempt to authenticate, I can see the login attempt hit the ACS, but I'm getting an Authentication failed message on the WebAuth page. Looking at the Failed Attempts log on the ACS, I can see the error below:
|16/01/2012||17:18:45||Authen failed||**User ID**||Default Group||172.22.62.21||(Default)||Internal error||..||..||**User ID**||172.22.64.39||..||..||..||..||..||NGMWLC11||WLCs|
I can find my User ID as it's listed above within the User list on the ACS, so I'm confident it exists and I'm using the correct password. Would there be some additional config changes I'd need to make on the ACS in order to get authentication working?
Finally, and apologies for the additional questions, but if I looked to control authentication on a more granular basis, how would I configure the ACS to use a single AD group to allow authentication, eg, if a user is a member of a particular AD group, then the ACS will grant access, and if not, access will be denied.
Thanks again for all your assistance
Just to add some more information to this - Our issue was caused by incompatibility between our ACS version and the version of Active Directory that was running (2008)
We upgraded ACS to Release 4.2(1) Build 15 Patch 7 and the authentication worked as expected.