Configure SSID with local eap

Turki.A.Baqatada · ‎05-22-2023

I have SSID (corporate) configured to authenticate with external radius and also I configured local net users and I need to authenticate them with same ssid, so in need corporate ssid to authenticate both users from radius and local

By the way I configured local net users and I could successfully authenticate them through new ssid I configured but when I tried to authenticate them with corporate ssid I couldn't is there any limitation to use 2 methods of authentication

Flavio Miranda · ‎05-22-2023

Hello

Take a look in IPSK solution

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

Leo Laohoo · ‎05-22-2023

Are there any 2800/3800/4800/1560 used in this WLAN?

Turki.A.Baqatada · ‎05-22-2023

No we are using 3700

Prince.O · ‎05-22-2023

Hello,

What model of controller are you using and what version of code is it on ?

As far as limitations , not that I'm aware of , I suppose you can test this to make this work by setting the order of authentication that is what will be key here. You will have to ensure you set the order to be local first and then radius after.

- This same method/concept is generally recommend for TACACS+ access is well when you have local creds you want to be able to fall back to if using IOS-XE

Turki.A.Baqatada · ‎05-22-2023

I am using 8510 controller and 8.0 code , i tried with no success if i use the same SSID for radius and local , but when i use it with new ssid using only local it works fine even the priority order is local then radius

Prince.O · ‎05-23-2023

Okay understood.

So 8.0 is a deferred code, I would suggest being on the recommended code of 8.5.182 to take advantage of improvements and functionality of your wireless network.

Is there a reason why you need local users + radius ? I would suggest going with the best practice route of external radius to perform the authentication of all your users when doing 802.1x authentication

Turki.A.Baqatada · ‎05-23-2023

We are using ACS as radius that importing users from AD for all users , but these local users that we need to configure in the same SSID just they need WIFI so no need to add them in the AD

by the way if i upgrade to 8.5 is this issue going to resolve ?

Thank you in advance

Prince.O · ‎05-24-2023

I can't answer for certain if this will work on 8.5 code as I have not tested it but this will be your best path forward as the code you are on is a deferred code.

If the users just need internet access, you can just have them join a guest network or the new SSID you created for them to use if this is a temporary use case

Rich R · ‎05-25-2023

Never tried that, but I don't think it will work.

I think you should be adding those users to ACS and letting radius handle them all.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs