Solved: Guest User Authentication

mark-wise · ‎01-21-2025

Has anyone used a 9800-40 as a "Radius Server" to authenticate guest users on the wireless guest SSID? We have a situation where we need to migrate off of Prime. We currently use Prime to create and manage all guest users by our help desk and local IT for all our regional locations. The Anchor controller resides in the DMZ and Security has forbidden the Help Desk and the local IT to have access to the Anchor. As the Foreign controller is permitted such access, I was thinking we could leverage it as the Radius server from the Anchor. We have done some initial configurations and testing. The Web-Auth pages present and accept the UN/PW but fail to complete the authentication. Any thoughts/suggestions would be greatly appreciated.

marce1000 · ‎01-21-2025

- You can't use 9800 controller(s) as (native) radius servers,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Flavio Miranda · ‎01-21-2025

@mark-wise

Cisco WLC works for local EAP only. It will not work as radius for remote guest users.

View solution in original post

MHM Cisco World · ‎01-21-2025

Check if CoA port 1700 is open from both side

MHM

mark-wise · ‎01-21-2025

Currently, all ports are permitted between Anchor and Foreign controllers.

MHM Cisco World · ‎01-23-2025

https://www.netprojnetworks.com/ccie-enterprise-wireless-v1-0-4-4-guest-management-4-4-b-central-web-authentication/

I dont know why they say you can not' if I have anchor sure I can use CWA.

Check the link.

Only make sure the port is open and do config as list in link

Thanks

MHM

Rich R · ‎01-23-2025

He's not asking about using CWA, he's asking about using 9800 as radius server @MHM Cisco World .
The example you linked is using ISE for radius, not 9800.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎01-23-2025

He mention guest but dont mention if he use CWA or LWA

MHM

marce1000 · ‎01-21-2025

- You can't use 9800 controller(s) as (native) radius servers,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Flavio Miranda · ‎01-21-2025

@mark-wise

Cisco WLC works for local EAP only. It will not work as radius for remote guest users.

Rich R · ‎01-22-2025

As Marce and Flavio have pointed out you can only use it for local EAP, not as a radius server. For local EAP see:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215026-local-eap-authentication-on-catalyst-980.html
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/local-extensible-auth-protocol.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390