04-20-2018 12:01 PM - edited 07-05-2021 08:32 AM
Hello,
I have a 5520 controller, I already setup the wlan autentication with RADIUS on the AAA Servers, Security->Leyer 2 in 802.1X and WPA2, Security->Leyer 3 in NONE and works fine.
The users get authenticated against the AD via RADIUS.
My problem is if I change the WLAN authentication to Web Policy with Local webauth, and the same RADIUS, the authentication fail showing a invalid user or password message.
First, its is possible?. If so, what is worong?
Thanks.
Solved! Go to Solution.
04-23-2018 01:27 PM
Hello H-H,
I installed the NPS following the the Document ID: 115988.
For some reason I dont know why the WLC with its IP was missing on the Conditions tab in the connection request policy created for wifi purpouse.
Its working now.
Thanks for your help.
04-20-2018 03:35 PM
good day Rafael,
some pieces of information would be great to address this issue.
from the controller enable the following:
debug aaa all enable
debug client <mac address of test machine>
once those are enable try to connect the test machine x3 times, attach the terminal output to this chain let's see.
04-23-2018 07:57 AM - edited 04-23-2018 07:59 AM
Good day H-H,
this is the output:
(Cisco Controller) >debug client B0:DF:3A:DA:F4:A2
(Cisco Controller) >*ewmwebWebauth1: Apr 23 10:56:19.765: b0:df:3a:da:f4:a2 Username entry (rjimenez) created for mobile, length = 8
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Username entry 'rjimenez' is deleted for mobile from the UserName table
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Username entry rjimenez deleted for mobile
The error in the client is :
Login Error.
The User Name and Password combination you have entered is invalid. Please try again.
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Plumbing web-auth redirect rule due to user logout
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 Web Authentication failure for station
*ewmwebWebauth1: Apr 23 10:56:29.871: b0:df:3a:da:f4:a2 172.16.64.66 WEBAUTH_REQD (8) Reached ERROR: from line 6920
04-23-2018 08:06 AM
The windows server is 2012 R2 Standard.
04-23-2018 08:18 AM
04-23-2018 09:35 AM
Rafa,
debug is not complete, for example could not seen the debug aaa all enable output, however with the debug provided i can see the client being blacklisted, lets first remove any "exclusion" configuration from the SSID, also from the NPS for testing can you increase the timeout timers?
Time | Task | Translated |
---|---|---|
Apr 23 11:15:13.067 | *DHCP Socket Task | Received DHCP request from client |
Apr 23 11:15:13.067 | *DHCP Socket Task | Sending DHCP Discover to DHCP Server CP through gateway 172.16.64.1 on VLAN selected relay 2 - NONE (server address 0.0.0.0,local address 0.0.0.0, gateway 172.16.95.254, VLAN 908, port 1) |
Apr 23 11:15:13.068 | *DHCP Socket Task | Received DHCP offer from server and transmitting to client |
Apr 23 11:15:13.072 | *DHCP Socket Task | Received DHCP request from client |
Apr 23 11:15:13.072 | *DHCP Socket Task | Sending DHCP Request to DHCP Server CP through gateway 172.16.64.1 requesting 172.16.64.66 on VLAN sending REQUEST to 172.16.95.254 (len 374, port 1, vlan 908) |
Apr 23 11:15:13.073 | *DHCP Socket Task | Received DHCP ACK, assigning IP Address 172.16.64.66 |
Apr 23 11:15:13.073 | *DHCP Socket Task | Received DHCP ACK from DHCP server |
Apr 23 11:16:30.598 | *ewmwebWebauth1 | Client expiration timer code set for 10 seconds. The reason: Client deleted as it was blacklisted |
Apr 23 11:16:40.626 | *apfReceiveTask | Client disassociation event has occured. Possible reasons may be due to AP Radio Reset usually due to channel change or wlan was manually disabled or Client unable to get valid DHCP IP for WLAN using DHCP required |
Apr 23 11:16:40.626 | *apfReceiveTask | Client has been deauthenticated |
Apr 23 11:16:40.626 | *apfReceiveTask | Client expiration timer code set for 60 seconds. The reason: Client entry deleted after the exclusion timer expired (client was blacklisted) |
Apr 23 11:16:40.626 | *apfReceiveTask | Client session has timed out |
04-23-2018 09:33 AM
04-23-2018 09:38 AM
Rafael,
the access reject came from the NPS server side.
04-23-2018 10:07 AM
04-23-2018 10:42 AM
04-23-2018 01:27 PM
04-23-2018 02:23 PM
Rafael,
great to know that everything is working now.
05-18-2018 05:46 PM
Complementing the configuration for Web Radius Authentication with Microsoft NPS, its important be aware the protocol used in the Network policy must be PAP instead of PEAP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide