Guest users issue??

rguzman.plannet · ‎01-06-2011

Hello,

I am expieriencing a weird behavior in the WLAN for guest users.

I can create tipical guest users and it redirects me to the sign in web page (there is no web auth server, it's done by the WLC itself) and it works normally. But I am having several domain users getting logged with their domain username and passwords eventhough they are not registered as guestusers.

How can I avoid this situation?

Thanks in advance!

Federico Ziliotto · ‎01-06-2011

Hello,

Maybe we could quickly take a look at your configuration. Could you please attach the full text output of the command "show run-config" and confirm which WLAN you are using for web auth?

For example, we could in particular looking at the order defined for checking the web auth credentials: this can be found under the AAA Servers tab of the web auth WLAN.

If you'd like to check only users in the WLC's local database, only the local method should be present in the list.

Also, under the same tab, the Authentication Servers box should be unchecked.

The WLC could have a Radius server configured, which can verify the user's credentials against an external AD/LDAP database.

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

rguzman.plannet · ‎01-06-2011

Hi,

The WLAN is "visitas"

Federico Ziliotto · ‎01-06-2011

Hello,

We would please need the output of the command "show run-config" (not "show running-config", as this contains different info).

Thank you,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

rguzman.plannet · ‎01-07-2011

Sorry here it goes!

Federico Ziliotto · ‎01-07-2011

Hello,

What you are seeing may be due in fact to the WLAN's usage of the Radius servers from the global list, even if not directly specified under the WLAN's configuration:

Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers

A very quick test to confirm this would be to uncheck the option "Network User" for all the Radius servers, under

SECURITY > RADIUS > Authentication

WLC 4.2 was not yet allowing to select which method to use to authenticate web auth users (local, Radius, or LDAP).
Starting from later versions such as 6.0 we have further features that allow us to do that (see attached screenshot).

In your case, on the Radius server, you may want to filter Radius access-requests coming from users connecting through the SSID "visitas".
In ACS 4.2 for example, this can be done through NAPs:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NAPs.html#wp1128143

In the Radius access-request, the WLC is including the following attributes (among others):

Called-Station-Id: this should come in the form of "WLC mac:BSSID:SSID name)
Airespace-WLAN-Id: this is the index of the WLAN through which the user is connecting

So you could build a NAP in ACS that checks whether the Radius attribute Airespace-WLAN-Id has the same index as the "visitas" SSID (or the Called-Station-Id contains the string "visitas") and, if so, fail the authentication.

Hope this helps,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.