Webauth drops after authentication

kevinhobson2000 · ‎09-28-2012

Hi All

I have setup a WLAN with Web Auth using radius to authenticate per user.

The login page comes up ok and the radius autheticates but then right after logging in you get page can not be displayed and the you cant get anywhere on the WIFI.

It works ok if you use a preshared key but it has to be per user auth and i would like to stay away from PKI.

Has anyone ever come across this?

Thanks

Kev

Scott Fella · ‎09-28-2012

Most likely your failing on the radius side or the radius isn't sending the accept correctly to the WLC. If you see pass authentication on the radius, look at the client on the WLC and see I'd the client is in the RUN state or not. Why use webauth along with radius? I know it works, but if its for guest users, I would rather put the credentials on the WLC. I wouldn't use any layer 2 authentication either, but you might have a different reason why.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

kevinhobson2000 · ‎09-28-2012

Hi Scott,

Thanks for the reply.

The idea with radius is so they can manage who can access the network by adding and removing from a group in AD.

The debug did show the radius accepted the authentication.

Thanks

Scott Fella · ‎09-28-2012

Make sure that the service type is set to login not framed if your using IAS or NPS.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

kevinhobson2000 · ‎09-28-2012

Scott,

Ive added service-type=login.

It is NPS ill get it tested and let you know.

Thanks for the help.

Cheers

Kev

Scott Fella · ‎09-28-2012

Let me know... That should fix it.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

kevinhobson2000 · ‎10-01-2012

Hi Scott,

I have got a bit further with this now.

Something strange is going on with the network.

If i do a nslookup i see the dns reply hit the switch but i dont see it go out of the port the WLC is connected to.

Cheers

Kev

Scott Fella · ‎10-01-2012

What you need to look for is traffic coming back from the radius and that on the wlc the client is in the run state. If you have a network issue, it would be after the client is in the run state.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

kevinhobson2000 · ‎10-05-2012

Hi Scot,

Ive decided to change this to dot11x.

I have setup a root ca on the Network Policy Server and have configured to use this cert for PEAP as per the Cisco Guide and done the same on the client. Identify Server Cert etc.

I am getting in the security log on the NPS:

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

Thanks

Kev

kevinhobson2000 · ‎10-05-2012

I sorted this by changing the cert used for PEAP to the Web SSL one.

Cheers

Kev