Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
956
Views
0
Helpful
3
Replies

C9800 - LWA with multiple Identity Source

Go to solution
Bill lo
Level 1
Level 1

‎03-25-2021 10:30 PM - edited ‎07-05-2021 01:02 PM

Hi 

At  AirOS Controller , we can choose multiple Identity Source ( Radius, LDAP,Local) For Client Web-Authenticate:

 

If multiple identity stores are selected, then the controller checks each identity store in the list, in the order specified, from top to bottom, until authentication for the user succeeds. The authentication fails, if the controller reaches the end of the list and user remains un-authenticated in any of the identity stores.

From:Cisco Wireless Controller Configuration Guide, Release 8.1

 

It is possible that run this function on the C9800 , How/Why ?

 

 

Best Regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Bill lo

‎03-29-2021 07:52 AM

That is what I was saying, so you know the difference between AireOS and IOS.  So yes, you will have to take that into account.  There really isn't a good use case for what your customer is doing.  To have to manage three identity stores just doesn't really work well in keeping track what should stay and what should be removed.  So when you move forward, you need to design this differently and get in alignment with the customer on the best way to manage the clients.

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-27-2021 07:48 PM

I would never look at that as a backup.  Typically you want to be able to pass or fail on the first one you choose.  If for example you have radius 1st, and the user is not authenticated, the radius server will send a reject.  The 9800's have something similar, but you define it under the AAA method list and then apply that to the wlan layer 3 policy.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Bill lo
Level 1
Level 1
In response to Scott Fella

‎03-28-2021 02:36 AM

Hi Scott

thank you for your reply,

(as far as I know)

1/  the AAA method on IOS : Only use the 2nd server (or group) when the 1st  is unreachable.

 

2/ On the AirOS behavior , we can select multiple User-identity store , even if the 1st Fail ( user not found  or Authen Fail),can keep select next ,until authentication for the user succeeds .

 

3/ In My Case , the User place the Guest Account  on the LDAP-server and WLC locally , and also wish can Modify the Guest Account through WLC-lobby-admin Function.

 

Best Regards

 

-Bill

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Bill lo

‎03-29-2021 07:52 AM

That is what I was saying, so you know the difference between AireOS and IOS.  So yes, you will have to take that into account.  There really isn't a good use case for what your customer is doing.  To have to manage three identity stores just doesn't really work well in keeping track what should stay and what should be removed.  So when you move forward, you need to design this differently and get in alignment with the customer on the best way to manage the clients.

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card